XML External Entity (XXE) is a vulnerability that arises when an application parses XML input without properly restricting the use of external entities. Attackers can exploit this by including malicious entities in the XML payload that reference external files or resources on the server. When the parser processes the XML, it may inadvertently access local files, make HTTP requests, or even cause denial of service through recursive entity expansion (a variant known as a Billion Laughs attack). This can lead to the disclosure of sensitive files, server-side request forgery (SSRF), or other unexpected behavior.
Remediation
To remediate XXE vulnerabilities, applications should disable the ability to resolve external entities and DTDs (Document Type Definitions) within the XML parser. Developers should use secure libraries or configurations that explicitly turn off this functionality. Additionally, where possible, applications should avoid using XML altogether in favor of less complex data formats like JSON. Input validation and enforcing strict content-type checks can also reduce the risk. Keeping XML parsers and dependencies up to date ensures that known vulnerabilities are patched.
Metadata
Severity: high
Slug: xml-external-entity
CWEs
611: Improper Restriction of XML External Entity Reference
776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
827: Improper Control of Document Type Definition
OWASP
A03:2021: Injection
A05:2021: Security Misconfiguration
A4:2017: XML External Entities (XXE)
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
