XML External Entity (XXE) Injection is an attack that targets applications which parse XML input using XML processors configured to resolve external entities. When XML parsers expand external entities, an attacker can supply a crafted XML payload that references local files, remote resources, or system identifiers. Expanding those entities can lead to disclosure of local files, server-side request forgery (SSRF), port scanning of internal networks, denial-of-service (billion laughs / entity expansion), and — in some cases — remote code execution depending on the environment and parser features.

Common XXE scenarios:

• Parsing untrusted XML that contains DOCTYPE declarations with <!ENTITY> definitions which reference file://, http://, or ftp:// URIs.
• Accepting XML uploads (SOAP, SAML, RSS, document imports) and processing them without disabling external entity resolution.
• Using older or misconfigured XML libraries/parsers that enable external entity resolution by default.
• Processing XML in contexts that later allow inclusion of the resolved entity values in sensitive operations (e.g., configuration loading, command construction).

Typical impacts:

• Local file disclosure: reading sensitive files such as configuration files, password stores, or private keys via file:// entity references.
• SSRF / remote resource access: forcing the server to make HTTP/DNS requests to attacker-controlled infrastructure or internal-only services.
• Denial of Service: resource exhaustion via recursive entity expansion (e.g., "billion laughs") or large resource retrievals.
• Information gathering / internal scanning: probing internal network services by requesting internal endpoints from the server.
• Potential remote code execution: in rare/complex cases when combined with other weaknesses or features that evaluate retrieved content.

Why XXE happens:

• XML parsers that resolve external entities and DTDs by default.
• Accepting and processing XML from untrusted sources without parser hardening.
• Lack of input validation and failure to restrict or sanitize XML features.
• Legacy code or libraries that predate secure parser defaults.

Detection signals:

• Presence of <!DOCTYPE or <!ENTITY in XML submitted to the application.
• Unexpected outbound requests from the application server after XML processing.
• Application responses containing contents of local files (e.g., fragments of /etc/passwd, configuration snippets).
• High CPU/memory usage or crashes after processing specially crafted XML payloads.

Mitigating XXE requires hardening XML processing, applying secure parser settings, and using defensive design patterns.

1. Disable External Entity Resolution
   Configure XML parsers to disallow DTD processing and external entity resolution. Most modern XML libraries provide explicit switches or secure parser factories (e.g., disable DTDs, set FEATURE_SECURE_PROCESSING, turn off external-general-entities and external-parameter-entities).

2. Use Safe Parsing Modes or Libraries
   Prefer simple, non-XML data formats (JSON) where appropriate. When XML is required, use libraries or APIs that default to safe parsing behavior or offer secure parsing helpers.

3. Validate and Sanitize Input
   Apply strict validation on XML inputs: enforce expected schemas, disallow extraneous DTDs/DOCTYPE declarations, and reject documents that include entity declarations when not required.

4. Limit Resource Use
   Configure parser limits for memory, recursion depth, total entity expansion, and maximum sizes for parsed content to mitigate denial-of-service variants.

5. Network and Egress Controls
   Restrict application server egress so it cannot reach arbitrary external hosts. Use egress allowlists, internal proxies, or firewall rules to prevent servers from fetching attacker-controlled URIs.

6. Least Privilege for File Access
   Ensure the application runs with minimal filesystem privileges and that sensitive files are not readable by the process unless absolutely necessary.

7. Avoid Evaluating Retrieved Content
   Never execute or directly evaluate the content retrieved via entity expansion. Treat expanded data as untrusted input and apply the usual validation/escaping.

8. Patch and Update XML Libraries
   Keep XML parsers and related libraries up to date, and follow vendor guidance for secure configuration. Replace deprecated or unmaintained parsers.

9. Logging and Monitoring
   Log XML processing failures and suspicious XML inputs. Monitor for unexpected outbound requests or unusual patterns following XML handling.

10. Testing and Code Review
    Include XXE tests in automated security testing and penetration testing. During code review, flag any XML parsing code that does not explicitly disable external entity resolution.

• XML External Entity (XXE) Injection
• XXE Prevention Cheat Sheet
• CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H