XML entity injection
Description
XML External Entity (XXE) injection is a vulnerability that occurs when an XML parser processes external entity references without proper restrictions. XML parsers can be instructed to include content from external sources using entity declarations in the Document Type Definition (DTD). When an application processes XML input from untrusted sources with external entity processing enabled, attackers can craft malicious XML documents that reference local files or remote resources. For example, an attacker can define an entity that points to file:///etc/passwd and have the parser include its contents in the XML document, potentially exposing sensitive data through the application's response.
Remediation
Disable XML external entity processing in your XML parser configuration. The specific method depends on the XML parser library being used:
Java (DocumentBuilderFactory):
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
PHP (libxml):
libxml_disable_entity_loader(true); $dom = new DOMDocument(); $dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_DTDATTR);
.NET (XmlReader):
XmlReaderSettings settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Prohibit; settings.XmlResolver = null; XmlReader reader = XmlReader.Create(stream, settings);
Python (lxml):
from lxml import etree parser = etree.XMLParser(resolve_entities=False, no_network=True) tree = etree.parse(source, parser)
If DTD processing is required for your application, use a local static DTD and configure the parser to only accept predefined entities. Additionally, implement input validation and consider using less complex data formats like JSON when XML features are not necessary.