XML External Entity (XEE) Attack – Examples And Prevention in 3 Points


An XXE attack is referred to as an attack that takes place against an application parsing XML input. This attack abuses a rarely used but broadly available feature of XML parsers. Attackers use XXE or XML External Entity to cause DoS or Denial of Service. It also results in gaining access to remote and local content and services. In simple words, an XEE attack is a web security vulnerability using which an attacker interferes with XML Data application processing. 

  1. What are XML External Entities?
  2. XEE Example
  3. How to Prevent XEE Attack

1) What are XML External Entities? 

OWASP defines XML External Entity as an attack against an XML input parsing application. It is also referred to as XML External Entity Injection. This attack takes place due to web security based vulnerability when a reference to an external entity containing XML input gets possessed by an XML parser that is weakly configured. As a result of this attack, denial of service, confidential data disclosure, port scanning from the machine perspective where the parser is located, server-side request forgery, and other system impact results. 

XML-based downstream integrations or web services and applications are prone to attack in conditions-

  • It occurs in XXE Vulnerability when the application directly accepts XML inserts from untrusted data or uploads from untrusted sources into XML documents. It, in turn, gets parsed by an XML processor. 
  • It also happens when any XML processors in SOAP-based web services or applications have DTDs or Document Type Definitions enabled. The mechanism for disabling DTD processing may vary from one processor to another. It is always better to consult a reference like ‘XXE Prevention’ by OWASP Cheat Sheet.
  • If an application uses SAML to process identity within a single sign-in SSO or federated security purposes, the chances of XXE attack is high. XML is used by SAML for identity assertions, which, in turn, may be vulnerable. 
  • If an application uses SOAP before version 1.2, it may be vulnerable to XXE attacks if XML entities get passed to the SOAP framework. 
  • Susceptibility to XXE attacks means vulnerability of the application to denial of service attacks, including Billion Laughs Attack. 

2) XEE Example

This vulnerability can be easily understood with the help of pertinent XEE examples. Here are a few that shall help clarify things. 

With time, several public XXE problems have come to light. It also includes an attack on embedded devices. It is prudent to note that XXE attacks can occur in several unexpected places like deeply nested dependencies. If accepted, the easiest way to get a malicious XML file uploaded;

Example 1- In this case, the attacker tries to extract data from the server. 

          <?xml version=”1.0″ encoding=”ISO-8859-1″?> <!DOCTYPE foo [

          <!ELEMENT foo ANY >

          <!ENTITY xxe SYSTEM “file:///etc/passwd” >]> <foo>&xxe;</foo>

Example 2- The attacker probe’s the private network of the server by changing the above entity line to-

          <!ENTITY xxe SYSTEM “” >]>

Example 3 – The attacker includes a potentially endless file to use a denial of service attack.

          <!ENTITY xxe SYSTEM “file:///dev/random” >]>

Example 4- In this example, the simple web application output accepts XML input. It then parses it and gives the result. 

Request Response
POST https://example.com/xml HTTP/1.1<foo>Hello World</foo> HTTP/1.0 200 OK Hello World 

XML can be used to declare attributes, elements, and text. These XML documents are of a particular type, and the document type can be declared by specifying the type definition. XML Parser validates XML document if it adheres to this definition before document processing. There are two definition types. One is DTD or a Document Type Definition and XSD or XML Schema Definition. Document Type Definitions witness XXE vulnerabilities though it is considered legacy. These are sourced from the ancestor of XML or SGML. 

Example 5- In this example of XXE payload, foo with an element called bar Document Type Definition is an alias for World. Thus, any bar & time is used, and the XML parser replaces the entity with the word World. 

Request Response
POST https://example.com/xml HTTP/1.1 <?xml version=”1.0″ encoding=”ISO-8859-1″?><!DOCTYPE foo [  <!ELEMENT foo ANY>  <!ENTITY bar “World”>]><foo>  Hello &bar;</foo>  HTTP/1.0 200 OK Hello World       

An attacker uses XML entities that may seem harmless, causing a denial of service by embedding entities with entities. This attack is popularly known as the Billion Laughs attack. It also overloads XML parser memory. In some cases, the XML parsers limit the memory amount that can be used automatically.

There is a file /etc/fstab that contains XML lookalike characters even when they are not XML. It causes the XML parser to try and pars these elements but notice that it is not a valid or genuine XML document. 

Thus, XXE or XML External Entity gets limited in two ways-

  • XXE is of no use to acquire binary files.
  • XXE can be used to obtain responses or files containing a ‘valid’ XML.

These were a few of XXE attack examples that give an idea of the issue.

3) How to Prevent XEE Attack

It is important to look for ways and means to curb these XXE XML external entity attacks. For this, it is important to go for developer training that helps identify issues and mitigate XXE attacks. Following is required for prevention XXE-

  • Use lesser complicated data formats whenever possible, like JSON, and avoid sensitive data serialization.
  • Upgrade or patch all XML libraries and processors used by the underlying operating system or the application. Instead, use dependency checkers and go for an updated SOAP 1.2 or SOAP or higher.  
  • Disable DTD processing or XML external entity in all applications in all XML parsers as per the Cheat Sheet of OWASP ‘XXE Prevention.’
  • Focus on the implementation of whitelisting or positive server-side input validation, sanitization, or filtering to prevent hostile data in XML headers, documents, or nodes. 
  • Next, concentrate on verifying XSL or XML file upload functionality validating XML using XSD validation or something similar. 
  • XXE is also detected with the help of SAST tools in source code. Simultaneously, manual code review is also the best option in complicated, large applications with multiple integrations. 

In case such controls are not working or not possible, check virtual patching, Web Application Firewalls, Interactive Application Security Testing, or API Security Gateways for the detection, monitoring, and blocking XXE attacks.


So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.

Also Read

Related Articles

Please wait while your application is being created.
Request Callback