XML external entity injection
Description
XML External Entity (XXE) injection is a vulnerability that occurs when an XML parser processes external entity references from untrusted input without proper restrictions. XML parsers can be instructed to retrieve and include content from external sources using entity declarations in the Document Type Definition (DTD). When user-controlled data is parsed without disabling this feature, attackers can craft malicious XML documents that reference local files or internal network resources. This allows unauthorized access to sensitive data and internal systems through the application's XML processing functionality.
Remediation
Disable XML external entity processing and DTD parsing in all XML parsers used by the application. The specific implementation varies by parser library:
For Java (DocumentBuilderFactory):
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);For PHP (libxml):
libxml_disable_entity_loader(true); $dom = new DOMDocument(); $dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD);
For .NET (XmlReader):
XmlReaderSettings settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Prohibit; settings.XmlResolver = null; XmlReader reader = XmlReader.Create(stream, settings);
For Python (lxml):
from lxml import etree parser = etree.XMLParser(resolve_entities=False, no_network=True) doc = etree.parse(source, parser)
If DTD processing is required for legitimate business purposes, implement strict input validation and use a whitelist approach to allow only known-safe entity references. Consider using simpler data formats like JSON when XML features are not necessary.