XML External Entity (XXE) Processing

Many older or poorly configured XML processors evaluate external entity references within XML documents.

Security Assessment



Vulnerability Information

Many older or poorly configured XML processors evaluate external entity referenceswithin XML documents. External entities can be used to disclose internal files usingthe file URI handler, internal file shares, internal port scanning, remote codeexecution, and denial of service attacks.


An XXE vulnerability exists when a web application parses XML documents from an untrusted source. If the underlying XML parser accepts DTD an attacker can manipulate the XML document in a way that allows him to read files on the system. The following code snippet shows a malicious XML document that forces the application to read sensitive files on the server.



A poorly configured XML parser would read the file which is specified in the DTD and possibly display it to the attacker. In order to protect your web application from this kind of attacks  you can disable the entity loader for the XML parser as the below snippet shows.



Additionally to disabling the entity loader it is recommended to use a local static DTD and remove any other DTD included in the XML document. 

For more information about Crashtest Security visit https://crashtest-security.com/.