XML External Entity Injection (XXE)
Also known as: XXE
XML External Entity (XXE) injection targets applications that parse XML using a processor configured to resolve external entities. By defining a malicious DOCTYPE, an attacker can read local files, trigger server-side requests (SSRF), or exhaust resources. XXE typically stems from insecure default parser configurations.
How it works
- 1The application parses attacker-supplied XML (uploads, SOAP, SAML, document formats).
- 2The XML parser has external entity resolution enabled.
- 3The attacker declares an external entity pointing at a local file or internal URL.
- 4The parser resolves it, returning file contents or issuing an internal request.
Example
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY x SYSTEM "file:///etc/passwd">
]>
<data>&x;</data>Impact
XXE can disclose sensitive files, pivot into SSRF against internal services, and cause denial of service. In some stacks it escalates to remote code execution.
Remediation
- Disable DOCTYPE and external entity resolution in every XML parser.
- Prefer less complex data formats (JSON) where XML is not required.
- Patch and configure parsers to the secure defaults documented by OWASP.
- Validate uploads and reject XML containing DOCTYPE declarations.
Detection & testing
Submit XML with benign external entities and out-of-band callbacks to detect resolution. Review every XML-parsing entry point, including SAML and document uploads.
Impactr tests for XML External Entity Injection (XXE) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.
Test my app for XXETools
Frequently asked questions
Why did XXE move under Security Misconfiguration in OWASP 2021?
In the 2021 Top 10, XXE was merged into A05:2021 – Security Misconfiguration, reflecting that it usually results from insecure parser configuration rather than a distinct category.