Security Test: XXE Injection¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
XXE vulnerabilities occur when an XML parser processes external entities, which can allow attackers to trick the system into accessing sensitive files or making requests to internal resources. Developers sometimes use default parser configurations that leave this door open, so attackers might exploit XML input to read confidential data, trigger unwanted actions on the server, or even run malicious code. This risk emphasizes the importance of carefully configuring XML parsers, validating input, and disabling any unnecessary external references.
Reference:
Configuration¶
Identifier:
injection/xxe
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API10:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.1 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-32 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 611 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C |
| CVSS Score | 6.8 |