XXE Exposed

XML External Entity (XXE) injection is a web security vulnerability that targets applications processing XML input. When XML parsers are configured to resolve external entity references, attackers can exploit this functionality to read arbitrary files from the server, perform Server-Side Request Forgery (SSRF), and in some cases achieve remote code execution. XXE has been recognized as a critical threat in the OWASP Top 10 and affects any application that parses XML data from untrusted sources.

How XXE Attacks Work

XML supports a feature called external entities, defined in the Document Type Definition (DTD), that allows XML documents to reference external resources. An entity declaration like <!ENTITY xxe SYSTEM "file:///etc/passwd"> instructs the XML parser to fetch the contents of the specified file and include it wherever the entity reference &xxe; appears in the document. When an application reflects parsed XML content back to the user, the file contents are disclosed in the response.

The attack surface for XXE is broader than many developers realize. Any endpoint that accepts XML input is potentially vulnerable - this includes SOAP web services, RSS feed processors, document upload handlers (DOCX, XLSX, and SVG files are all XML-based), SAML authentication flows, and configuration file parsers. Even applications that appear to use JSON may accept XML if the Content-Type header is changed, as many frameworks support multiple content types transparently.

Advanced XXE Techniques

When the application does not directly reflect XML content, attackers can use out-of-band (OOB) techniques to exfiltrate data. By defining external entities that make HTTP requests to an attacker-controlled server with file contents encoded in the URL, sensitive data can be extracted without any visible output in the application response. Parameter entities and error-based techniques provide additional exfiltration channels when standard approaches fail.

Preventing XXE Vulnerabilities

The most effective defense against XXE is disabling external entity processing in the XML parser configuration. In Java, this means setting features like disallow-doctype-decl and external-general-entities to prevent entity resolution. Most modern XML libraries default to secure configurations, but legacy code and some frameworks still enable dangerous features. Input validation, using JSON instead of XML where possible, and regular security testing complement parser hardening.