2

I'm trying to explain to myself why XXE doesn't fall under the Injection category, as it is a form of XML injection.

XML External Entity is an attack that manipulates the XML parser/interpreter, to achieve information disclosure of some data (i.e., a file from the file system).

SQL Injection is an attack that manipulates the SQL interpret to achieve a wide range of goals, one of which might be information disclosure of some data.

Some organizations have even called XXE an Injection attack, and OWASP does list XML Injection under A1. While I would argue that with XXE you are not technically injecting any commands into an interpreter, the data flow for both categories is essentially the same:

Data flow where an attacker supplies bad input to an interpeter, where the flow can have none, one or many intermediate processes The threats are essentially the same - information disclosure and denial of service, though obviously with SQL injection you can do even more.

So, what would you argue is the main reason for this division? Is it simply to raise awarness for XXE in particular, or can it really be classified as standalone?

I'd argue that even XXS can be treated as Injection, but I can accept that the distinction here is that the system isn't attacked, but its users.

NLuburić
  • 294
  • 2
  • 9
  • You can find this question asked, and a few answers suggested, at https://owasp.slack.com/archives/C04T40NND/p1518203938000514. (Registration URL is https://owasp-slack.herokuapp.com/) – Yaakov Saxon Nov 23 '20 at 15:48
  • Suggestions include that it may have been separated out to highlight it's prevalence, and also the fact that the problem and its solution are on a slightly different level. In most injection scenarios, the problem is that the programmer improperly put user input into a command. With XXE, simply parsing an XML doc (with a misconfigured parser) is enough to cause the problem. – Yaakov Saxon Nov 23 '20 at 15:58

1 Answers1

3

Even in MITRE CAPEC, Injection is a distinctly-separate top-level category from Subversion of Acess Control. XXE is a type of Privilege Abuse that falls under Subversion of Access Control, not Injection.

i.e.,

Inject Unexpected Items -> Command Injection -> XML Injection

Totally different from

Subvert Access Control -> Privilege Abuse -> XML External Entities

atdre
  • 18,885
  • 6
  • 58
  • 107