This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to.

By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file.

• XML External Entities
• XML External Entity (XXE) Prevention Cheat Sheet
• Improper Restriction of XML External Entity Reference
• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H