XML External Entity (XXE) Injection
detect, understand, remediate
XXE injection exploits misconfigured XML parsers to read local files, perform SSRF, or cause denial of service through entity expansion attacks.
No credit card required. Free plan available forever.
What is XML External Entity (XXE) injection?
XML External Entity (XXE) injection is a web security vulnerability that targets applications which parse XML input. When an XML parser is configured to process external entity references, an attacker can craft malicious XML payloads to read local files, perform server-side request forgery (SSRF), or cause denial of service through entity expansion attacks.
XXE attacks exploit a feature of the XML specification itself, external entities, which allow XML documents to reference and include content from external URIs. While this feature was designed for legitimate document composition, it becomes dangerous when an application processes XML from untrusted sources without disabling external entity resolution.
The impact of XXE can range from information disclosure (reading sensitive files like /etc/passwd or application configuration) to full SSRF, enabling an attacker to reach internal services behind the firewall. In the worst case, a "billion laughs" attack (recursive entity expansion) can consume all available memory and crash the server.
How it works
Locate XML input
Attacker identifies an endpoint that accepts XML input, such as a SOAP API, file upload (DOCX, SVG), or configuration import.
Craft malicious DTD
A Document Type Definition is injected with an external entity that references a local file (file://) or internal URL (http://).
Parser resolves entity
The server's XML parser processes the DTD and resolves the external entity, fetching the referenced resource and embedding it in the parsed output.
Data exfiltrated
The content of the file or internal response is returned to the attacker in the application's response, or exfiltrated via an out-of-band channel.
Common causes
External entities enabled by default
Many XML parsers enable external entity processing by default. If developers don't explicitly disable it, the application is vulnerable out of the box.
DTD processing not disabled
Allowing Document Type Definition processing lets attackers define custom entities that reference external resources or expand recursively.
No XML parser hardening
Using XML parsers without applying security best practices (such as disabling external entities, DTDs, and parameter entities) leaves the application exposed.
XML used where simpler formats suffice
Choosing XML for data exchange when JSON or other non-extensible formats would work eliminates an entire class of vulnerabilities.
How to detect it
Automated detection
- SecPortal's code scanner detects insecure XML parser configurations and missing entity-disabling flags in source code
- Authenticated scanning identifies endpoints that accept XML and tests for entity expansion and file inclusion
- SCA scanners flag known XXE vulnerabilities in XML parsing libraries and frameworks
Manual testing
- Submit XML payloads with external entity declarations referencing known files (e.g. /etc/hostname) to confirm file read
- Test for out-of-band XXE using external DTDs hosted on an attacker-controlled server to detect blind XXE
- Attempt entity expansion attacks (billion laughs) with nested entities to check for denial of service protections
How to fix it
Disable external entities and DTDs
Configure your XML parser to disallow external entity resolution and DTD processing. This is the single most effective mitigation against all XXE variants.
Use JSON or other simple data formats
Where possible, replace XML with JSON or other formats that do not support entity expansion or external references, eliminating the attack surface entirely.
Validate and sanitise XML input
If XML must be used, validate incoming XML against a strict schema (XSD) and reject documents containing DTD declarations or entity references.
Keep XML libraries up to date
Ensure all XML parsing libraries are patched to their latest versions. Many older versions have insecure defaults that newer releases have corrected.
Compliance impact
Detect XXE in your code
SecPortal's SAST scanner powered by Semgrep identifies XXE-prone XML parser configurations. Start scanning for free.
No credit card required. Free plan available forever.