XXE

Definition

XXE (XML External Entity) is a security vulnerability that occurs when an XML parser processes external entities within XML documents. This can lead to unauthorized disclosure of sensitive information, server-side request forgery (SSRF), or denial of service (DoS). XXE attacks exploit the ability of XML parsers to include external entities, which can be manipulated to access local files, network resources, or execute arbitrary code.

Secure Settings Example

To prevent XXE vulnerabilities, configure XML parsers to disable external entity processing. Here is an example in Java using the DocumentBuilderFactory:

import javax.xml.parsers.DocumentBuilderFactory;

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

Insecure Settings Example

An insecure configuration example in Java where external entities are not disabled, making the application vulnerable to XXE attacks:

import javax.xml.parsers.DocumentBuilderFactory;

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// No features are set to disable external entities