Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Glossary · Injection

XML External Entity (XXE)

A defect in XML parsers that dereference external entity declarations, letting attackers read local files, trigger SSRF, or exhaust resources.

Explainer

What it is#

targets XML parsers that honour external entities by default. The attacker supplies a DOCTYPE declaration pointing at file:///etc/passwd, a private URL, or a recursively expanding entity definition. Vulnerable parsers resolve the entity and substitute its contents into the parsed document, which the application then returns in a response, logs, or forwards to a downstream service.

Why it matters#

is a three-for-one defect. It reads local files the application never meant to expose, it pivots into against internal services, and it can melt a service with quadratic or exponential entity expansion. XML-heavy surfaces — SAML endpoints, SOAP APIs, DOCX uploads, RSS ingestion — remain the most common victims.

Mitigation direction#

Disable DTD processing and external entity resolution in every XML parser before handing it untrusted input. The exact flag differs by library (XMLConstants.FEATURE_SECURE_PROCESSING, libxml2 XML_PARSE_NOENT cleared, lxml resolve_entities=False). Prefer JSON where feasible; the attack surface is dramatically smaller.

Related terms

  • Cross-Site Scripting (XSS)

    An injection flaw where attacker-controlled data reaches a browser-side scripting sink, letting the attacker execute script in the victim's session origin.

  • Log4Shell (CVE-2021-44228)

    A remote code execution flaw in Apache Log4j 2.x where JNDI lookups inside logged strings caused servers to fetch and execute attacker classes.

  • SQL Injection (SQLi)

    An injection flaw where attacker-controlled input is concatenated into a SQL statement, letting the attacker read, modify, or exfiltrate database content.

← Back to the glossary

Site search

↑↓ navigateEnter openEsc close