XML External Entities (XXE)

Summary

XXE allows an attacker to read files on the server by including malicious XML content in an XML request.

Description

XML External Entity (XXE) can occur when an application processes XML input from an untrusted source without proper validation. In an XXE attack, an attacker can insert malicious XML content containing external entities, which are references to resources reachable by the application such as files or URLs. When the XML is processed, the application may unwittingly resolve and include these external entities. An attacker abusing this vulnerability might be able to read files, access remote resources or protocols within the server's reachable network, or even trigger Remote Code Execution.

Remediations

If possible, disable XML external entity and DTD processing in all the XML parsers used by the application.
If possible, always prefer JSON of XML in the design of your REST APIs.
Enforce an Allow-List of exactly what calls or methods are authorized, and reject everything else.

References

https://portswigger.net/web-security/xxe

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

hackstack

Anatomy

Usually follows

Local or Remote File Inclusion or Read

Insecure Deserialization

Usually precedes

Insecure Deserialization

Local or Remote File Inclusion or Read

Remote Code Execution (RCE)

Server Side Request Forgery (SSRF)

Affected components

Server

Sensitive Information