Improper Restriction of XML External Entity Reference
XML External Entity XXE injection occurs when an application parses untrusted XML input without disabling external entity resolution. An attacker can craft…
XML External Entity (XXE) injection occurs when an application parses untrusted XML input without disabling external entity resolution. An attacker can craft malicious XML that references external files or network resources, leading to information disclosure, denial of service, or server-side request forgery. This weakness is particularly dangerous because XML parsing is often considered a "safe" operation, yet it can expose sensitive files like configuration data or credentials.
02How It Happens
XML allows documents to reference external entities—other files or network resources—via DOCTYPE declarations and entity definitions. When an XML parser is configured with its default settings, it will attempt to resolve these references by reading local files or making network requests on behalf of the application. If the application accepts XML input from an untrusted source (a user upload, an API request, a webhook) without explicitly disabling external entity processing, an attacker can inject entity declarations that point to sensitive files (/etc/passwd, database configuration files) or internal services. The parser then resolves these references and may expose their contents in error messages, responses, or logs.
03Real-World Impact
XXE vulnerabilities can lead to confidentiality breaches—attackers can read arbitrary files from the server filesystem, including source code, configuration files, and private keys. In some configurations, XXE can be chained with other techniques to achieve remote code execution or denial of service by referencing infinitely recursive entities or extremely large files. Organizations have suffered data leaks and compliance violations when XXE flaws exposed customer data or internal credentials stored in configuration files.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import xml.etree.ElementTree as ET
def parse_user_xml(xml_data):
# Dangerous: no restrictions on entity resolution
root = ET.fromstring(xml_data)
return root.find('username').text
Why it's vulnerable: The default ET.fromstring() parser will resolve external entities, allowing an attacker to reference local files or network resources via DOCTYPE declarations in the XML input.
Fixed pattern
import xml.etree.ElementTree as ET
def parse_user_xml(xml_data):
# Safe: disable external entity resolution
parser = ET.XMLParser()
parser.entity = {} # Disable entity expansion
# Or use defusedxml for comprehensive XXE protection
from defusedxml.ElementTree import fromstring
root = fromstring(xml_data)
return root.find('username').text
Vulnerable pattern
<?php
function process_xml_upload($xml_string) {
// Dangerous: libxml external entities enabled by default
$dom = new DOMDocument();
$dom->load('php://input'); // or loadXML($xml_string)
$root = $dom->documentElement;
return $root->getElementsByTagName('data')[0]->nodeValue;
}
?>
Why it's vulnerable: PHP's DOMDocument and SimpleXMLElement enable external entity loading by default, allowing XXE attacks through DOCTYPE declarations or entity references in the XML.
Fixed pattern
<?php
function process_xml_upload($xml_string) {
// Safe: disable external entity loading
$dom = new DOMDocument();
libxml_disable_entity_loader(true);
$dom->load('php://input', LIBXML_NOENT | LIBXML_DTDLOAD);
// Or use a whitelist approach:
$old = libxml_disable_entity_loader(true);
$dom->loadXML($xml_string);
libxml_disable_entity_loader($old);
return $dom->documentElement->getElementsByTagName('data')[0]->nodeValue;
}
?>
05Prevention Checklist
Disable external entity resolution in all XML parsers used in your application; use language-specific safe defaults or libraries (e.g., defusedxml in Python, libxml_disable_entity_loader() in PHP).
Validate XML schema against a strict, predefined schema before parsing; reject any XML that does not conform.
Use allowlisting for DOCTYPE declarations; if your application requires DTDs, define them internally and reject any external references.
Avoid parsing user-supplied XML whenever possible; if you must, parse it in a sandboxed environment with minimal file system and network access.
Keep XML libraries updated to the latest versions, which often include XXE mitigations by default.
Log and monitor XML parsing errors for signs of XXE attempts (e.g., unusual file path references in error messages).
06Signs You May Already Be Affected
Check your application logs for XML parsing errors that reference unexpected file paths (e.g., /etc/passwd, file://, http://localhost). Review your XML processing code for calls to DOM or XML parsers without explicit entity resolution restrictions. If your application accepts file uploads or webhook payloads in XML format, test whether a DOCTYPE declaration referencing a local file is processed without error.