XML External Entity Attack

XML External Entity (XXE) injection is a vulnerability that targets applications parsing XML input. It occurs when an XML parser is configured to resolve external entity references, allowing an attacker to inject malicious entity definitions that reference local files, internal network resources, or arbitrary URIs. The parser then processes these references during document parsing, potentially exposing sensitive data or triggering unintended server-side actions.

An attacker exploiting XXE can read arbitrary files from the application server, including configuration files, credentials, and private keys. XXE can also be leveraged to perform server-side request forgery (SSRF), enabling the attacker to reach internal services behind firewalls or trigger denial-of-service conditions through recursive entity expansion (known as a Billion Laughs attack). In some environments with vulnerable XML processing libraries, XXE may even lead to remote code execution.

Disable Document Type Definitions (DTDs) entirely in your XML parser configuration. This is the most effective defense because it prevents both external entity resolution and entity-expansion denial-of-service attacks. In Java, set the feature http://apache.org/xml/features/disallow-doctype-decl to true on the parser factory.

If disabling DTDs completely is not feasible, disable external entity and parameter entity processing explicitly. For SAX and DOM parsers, set http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities to false. For StAX parsers, set XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES to false.

Use well-maintained and up-to-date XML processing libraries, as newer versions often include secure defaults. Where possible, prefer simpler data formats such as JSON that do not support entity declarations.