Web Application XML External Entity (XXE) File Inclusion Error

An XML External Entity (XXE) file inclusion error was detected. The web application is parsing user-controlled XML data without sanitization and an error was returned when unable to access the resource referred to by the injected external entity.

If user-controlled XML data is parsed by a web application, an attacker can leverage the XXE feature of XML parsers to make the web application access an attacker-specified local or remote resource. The parser will throw an error when it's not able to access the resource referred to by the entity. If the error is included in the HTTP response, an attacker can use it to systematically profile the files on the server. The attacker can use it to determine presence various files and their access permissions.

To prevent an XXE file inclusion error:

• Disable XML external entity and DTD processing in all XML parsers in your application, as per the OWASP XXE Prevention Cheat Sheet (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet).
• Implement positive ("white listing") input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
• Verify that XML or XSL data is properly validated using DTD or XSD validation.
• Ensure XML processors and libraries being used by the application are fully patched and updated. Using a dependency checker or composition analyzer can help determine the risk from various software libraries and components in the application.

Courtesy: OWASP Top 10 2017 [A4: XML External Entities (XXE)]