Extended Slovník

XML External Entity (XXE)

An XXE vulnerability allows attackers to interfere with XML processing, potentially leading to information disclosure, SSRF, or remote code execution.

An XML External Entity (XXE) vulnerability arises when an application processes XML input containing references to external entities, and the XML parser is configured to resolve these references without proper validation or sanitization. Attackers can leverage this to inject malicious DTD (Document Type Definition) or other external entity declarations into XML documents, compelling the server to disclose sensitive files, execute arbitrary code, or perform server-side requests to other systems.

What is an XML External Entity?

XML External Entities are a feature of XML that allows documents to reference external resources, such as files or URLs, through entity declarations in the Document Type Definition (DTD). While this feature was designed for legitimate purposes like modularity and reuse, it becomes dangerous when applications accept untrusted XML input and process it with a misconfigured parser.

An external entity declaration typically looks like this:

]>

When the parser encounters a reference to this entity (e.g., &xxe;), it attempts to resolve and include the contents of the specified resource.

Why are XML External Entities a Security Risk?

XXE vulnerabilities pose severe security risks because they can lead to:

  • Information Disclosure: Attackers can read sensitive files from the server, such as configuration files, credentials, or system files like /etc/passwd.
  • Server-Side Request Forgery (SSRF): Malicious entities can force the server to make HTTP requests to internal systems, potentially accessing admin panels or internal APIs.
  • Denial of Service (DoS): Recursive entity definitions ("billion laughs attack") can exhaust server memory and CPU resources.
  • Remote Code Execution: In certain configurations, XXE can lead to arbitrary code execution on the server.

Example Attack Scenarios

Reading sensitive files:

]><foo>&xxe;</foo>

This payload attempts to read the system's password file and include its contents in the XML response.

Performing SSRF attacks:

]><foo>&xxe;</foo>

This forces the server to make a request to an internal resource that would otherwise be inaccessible from the outside.

Which XML Parsers are Vulnerable to XXE?

Many XML parsers are vulnerable by default, including:

  • Java: DocumentBuilderFactory, SAXParser, XMLReader
  • PHP: SimpleXML, DOMDocument (when external entities are enabled)
  • .NET: XmlDocument, XmlReader (older versions)
  • Python: lxml, xml.etree (certain configurations)

The vulnerability depends on the parser's default configuration and whether external entity processing is explicitly disabled.

When Should XML Parsing be Secured?

XML parsing should be secured whenever your application:

  • Accepts XML input from users or external sources
  • Processes XML documents from APIs or third-party services
  • Handles SOAP web services or XML-based file uploads
  • Uses XML for configuration or data interchange

How to Prevent XML External Entity Attacks?

The most effective prevention strategies include:

  1. Disable DTDs and External Entities: Configure your XML parser to disallow DTD processing and external entity resolution entirely.
  2. Use Safe Parsers: Choose parsers that have secure defaults or use libraries specifically designed to prevent XXE.
  3. Input Validation: Validate and sanitize all XML input before processing.
  4. Use Less Complex Data Formats: Consider using JSON instead of XML where possible, as JSON doesn't have equivalent entity features.
  5. Keep Software Updated: Ensure XML processing libraries are up-to-date with security patches.

For detailed implementation guidance, refer to the OWASP XXE Prevention Cheat Sheet and the PortSwigger Web Security Academy.

← Back to Glossary