Application Security · Learn

What is XXE injection?

XXE abuses a feature of XML parsers to read server files, reach internal systems, and exfiltrate data, just by sending a crafted XML document. Here is what XML External Entity injection is, how it works, and how to disable the feature that causes it.

Application Security · LearnApplication Penetration Testing
TL;DR

XXE (XML External Entity injection) is a vulnerability where an application parses attacker-supplied XML with external entities enabled, letting the attacker define an entity that points at a local file or internal URL. The parser fetches it, so the attacker reads server files (like /etc/passwd), performs SSRF against internal services, or exfiltrates data out-of-band. It is caused by XML parsers that resolve external entities by default, and the fix is simply to disable external entity and DTD processing.

By Shubham Khandare, Delivery Manager, SecureLayer7Updated

What XXE is

XML supports entities, placeholders that expand to a value, and external entities that load their value from a URI, including file:// and http://. Many XML parsers historically resolve these by default.

XXE happens when an application parses XML that an attacker controls with that feature enabled. The attacker defines an external entity pointing at something they want, and the parser dutifully retrieves it and includes it in the parsed result.

How it works and example

The attacker submits XML with a malicious external entity:

- Read a local file: <!DOCTYPE r [<!ENTITY x SYSTEM "file:///etc/passwd">]> <r>&x;</r> returns the file in the response. - SSRF to internal services: point the entity at http://169.254.169.254/... (cloud metadata) or an internal host. - Blind/out-of-band XXE exfiltrates data to an attacker server using parameter entities and an external DTD when responses are not reflected.

XXE often appears in file uploads (SVG, DOCX, SAML) and any endpoint that accepts XML. Examples shown for defensive context.

How to fix it

  • Disable external entity resolution and DTD processing in every XML parser (the exact flags vary by library; OWASP documents them per platform).
  • Prefer simpler formats like JSON where XML is not required.
  • Patch and update XML libraries, since older defaults are unsafe.
  • Validate file uploads that contain XML under the hood (SVG, Office documents, SAML).
  • Test every XML-accepting endpoint for entity resolution.

References

  1. [1]OWASP: XML External Entity Prevention(OWASP)
  2. [2]MITRE CWE-611: Improper Restriction of XML External Entity Reference(MITRE CWE)
  3. [3]OWASP Top 10(OWASP)
Related terms

Common questions

XXE, asked often

Want your application tested for this?

Scope an engagement

Test your application for XXE and 30+ other classes.

Our application penetration test is manual, evidence-led, and built so your developers can reproduce and fix every finding. Each engagement ships with proof-of-exploit and a free re-test.

See the methodology30-min scoping call, fixed-price proposal in 48 hours.