by peter


XML external entity attack Explained


Risk Rating: HIGH
Likelihood: 3/5
Impact: 5/5


  • Lack of Web Application firewall
  • Lack of monitoring
  • Poor coding

XML external entity attack Overview


What you need to know about XML External Entity Attacks

Although a common vulnerability, preventing XML external entity (XXE) attacks can be easily achieved with good coding practices and some language-specific advice.

Java inherently makes a programmer’s task of defending against XML external entity less definitive, due to the reliance on parsers. Java XML parsers are often vulnerable to XML external entity attacks, resulting in less control in securing your applications.

Thankfully, creators of these parsers are wise to this issue, actively ensuring that they are updated accordingly to be more secure, but you are still reliant on these third parties. Some of the most common XML parsers for Java include:

  • Dom Parser
  • SAX Parser
  • JDOM Parser
  • DOM4J Parser
  • StAX Parser

When relying on third party parsers, you should disable DOCTYPES, which will automatically protect you from XXE attacks.

XML external entity Vulnerability in PHP

PHP holds the title of perhaps the most popular back-end web application language, and as such, is a primary target for attackers, including XML external entity attacks. With attackers routinely finding new vulnerabilities, it is imperative to keep your PHP version up to date to secure your applications.

In relation to XML external entity prevention, there are things that you can do in order to ensure you’re a victim. Since PHP version 8.0.0, it is highly recommended that you use libxml_disable_entity_loader. Further information on fully undersanding and implementing this functionality in your code can be found here.

XXE Vulnerability in Python

Python’s popularity is growing each day with both new programmers and seasoned veterans. However, with rapid growth and expansion comes risk.

The first step in securing your Python applications is ensuring that the XML parsers you are using are safe. Some, such as EtreeMinidomXmlrpc, and Genshi are built with security in mind, resistant to XXE vulnerabilities. However, other popular modules such as Pulldom and Lxlm aren’t inherently safe, and precaution is advised.

Additional Prevention Tips

Here are a few general guidelines that can help you prevent XML external entity attacks:

  • Manually disable DTDs – configure XML parsers in your applications to disable custom document type definitions (DTDs). Most applications don’t use DTDs, so this should not hurt any functionality, but can prevent XXE attacks.
  • Instrument your application server – insert checkpoints in specific parts of your code to monitor runtime execution, and detect and block classes related to XML processing. This can deal with XML parsers you missed somewhere in your application code, and can prevent the most severe XXE exploits which lead to remote code execution.
  • Use security tools – Web Application Firewalls (WAF) have built-in rules that can block obvious XXE inputs. Dynamic Application Security Testing (DAST) tools can scan for XXE vulnerabilities early in the development process and suggest how to remediate them.
  • Harden configuration against XXE – the regular application hardening best practices will also be effective against XXE. Limit permissions, validate all inputs to ensure they do not reach XML parsing logic, handle errors, use authentication and encryption, limit outbound traffic, and limit DNS communications.

How XML External Entity attacks happens

XXE (XML External Entity Injection) is a common web-based security vulnerability that enables an attacker to interfere with the processing of XML data within a web application.

While XML is an extremely popular format used by developers to transfer data between the web browser and the server, this results in XXE being a common security flaw.

XML requires a parser, which is typically where vulnerabilities occur. XXE enables an entity to be defined based on the content of a file path or URL. When the XML attack payload is read by the server, the external entity is parsed, merged into the final document, and returns it to the user with the sensitive data inside.

XXE attacks can result in port scanning within the internal network, server-side request forgery (SSRF), data exfiltration, use of an organization’s servers to perform denial of service (DoS), and more. It is therefore important to implement XXE prevention strategies.

Attack Sources

XML external entity attacks can come from anywhere.  Consider restricting access to your applications to specific countries that you do business with.