Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
XML external entity injection (variant) - Vulnerability Database

XML external entity injection (variant)

Description

XML External Entity (XXE) injection is a vulnerability that occurs when an XML parser processes external entity references from untrusted sources. XML parsers can be instructed to retrieve and include content from external URIs using entity declarations in the Document Type Definition (DTD). When user-controlled data is parsed without proper restrictions, attackers can define malicious external entities that cause the parser to access local files, internal network resources, or remote systems. This vulnerability was confirmed through DNS exfiltration to a controlled domain, demonstrating that the application processes external entities.

Remediation

Implement the following security controls to prevent XXE attacks:

1. Disable External Entity Processing (Recommended):
Configure your XML parser to disable DTD processing and external entity resolution entirely. Implementation varies by parser:

Java (DocumentBuilderFactory):


DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);

dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

dbf.setXIncludeAware(false);

dbf.setExpandEntityReferences(false);

PHP (libxml):
// PHP 8.0+ (External entities are disabled by default)
// CRITICAL: Do NOT use the LIBXML_NOENT flag, as it forces entity expansion.
$dom = new DOMDocument();
$dom->loadXML($xml);

// PHP < 8.0 (Legacy protection)
libxml_disable_entity_loader(true);
$dom = new DOMDocument();
$dom->loadXML($xml);

Python (lxml):

from lxml import etree

parser = etree.XMLParser(resolve_entities=False, no_network=True)

doc = etree.parse(source, parser)

2. Use Less Complex Data Formats:
Where possible, use JSON or other simpler data formats that do not support external entity references.

3. Input Validation:
If external entities must be enabled for business requirements, implement strict allowlisting of acceptable entity values and validate all XML input against a defined schema (XSD).

4. Keep Libraries Updated:
Ensure all XML processing libraries are updated to the latest versions with security patches applied.

References

CWE-611: Information Exposure Through XML External Entity Reference
XXE (Xml eXternal Entity) attack
XML External Entity (XXE) Processing

Related Vulnerabilities

XML external entity injection via File Upload High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE OOB Vulnerabilities
XML External Entity Injection via external file High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE OOB Vulnerabilities
XML external entity injection High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE OOB Vulnerabilities
XML external entity injection and XML injection High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE
XML entity injection High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE

Severity

High

Classification

CWE-611
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality
Configuration
Denial Of Service
Information Disclosure
XXE
OOB Vulnerabilities