A Study of XXE Attacks Prevention Using XML Parser Configuration

Ramsha Shahid, Safdar Nawaz Khan Marwat, Ala Al-Fuqaha, Ghassen Ben Brahim

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

4 Citations (Scopus)

Abstract

Online attacks are outcomes of cyber vulnerabilities. XML (eXtensible Markup Language) is a self-descriptive markup language, and XML eXternal Entity injection (XXE) is a well-recognised web security vulnerability. XXE injection can attack web applications that several popular XML parsers are unable to withstand. Most of the available literature on XXE is based on vulnerability testing, but not much work has been done on ways for prevention of such attacks. The aim of this research is investigation of XXE attacks, and ways of prevention of such attacks. A sample vulnerable web application utilizing the standard XML parser that accompanies the Java Development Kit (JDK) has been developed in this work for executing different attacks and detection of attacks. Additionally, ways for prevention of XXE attacks are suggested as well. A virtual machine image of the developed framework is provided to perform trial and error for experimentation and representation of vulnerabilities. Different techniques and exploitation approaches for evaluating the performance of sample web application in terms of vulner-abilities are utilized to develop a platform for executing such attacks. Since the vulnerabilities of misconfigured XML parsers are depicted in this work in detail, effective methods for securing websites from XXE attacks are provided. Furthermore, this work also includes discourse on tools for developing platform for XXE attacks, and ways to eliminate vulnerabilities.

Original languageEnglish
Title of host publicationProceedings - 2022 14th IEEE International Conference on Computational Intelligence and Communication Networks, CICN 2022
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages830-835
Number of pages6
ISBN (Electronic)9781665487719
DOIs
Publication statusPublished - 2022
Event14th IEEE International Conference on Computational Intelligence and Communication Networks, CICN 2022 - Al-Khobar, Saudi Arabia
Duration: 4 Dec 20226 Dec 2022

Publication series

NameProceedings - 2022 14th IEEE International Conference on Computational Intelligence and Communication Networks, CICN 2022

Conference

Conference14th IEEE International Conference on Computational Intelligence and Communication Networks, CICN 2022
Country/TerritorySaudi Arabia
CityAl-Khobar
Period4/12/226/12/22

Keywords

  • API
  • DDoS
  • DTD
  • DoS
  • OWASP
  • XXE
  • parser
  • vulnerability

Fingerprint

Dive into the research topics of 'A Study of XXE Attacks Prevention Using XML Parser Configuration'. Together they form a unique fingerprint.
  • EX-QNRF-NPRPS-51: Development of Human-Centric Robust ML-Driven IoT Smart Services

    Ghaly, M. (Principal Investigator), Al Fuqaha, A. (Lead Principal Investigator), Assistant-1, R. (Research Assistant), Assistant-2, R. (Research Assistant), Assistant-3, R. (Research Assistant), Associate-1, R. (Research Associate), Bou-Harb, D. E. (Principal Investigator), Zubair, D. M. (Principal Investigator), Filali, P. F. (Principal Investigator) & Qadir, P. J. (Principal Investigator)

    15/03/2115/09/23

    Project: Applied Research

Cite this