XML External Entities (XXE)

XXE vulnerabilities occur when an application parses XML input insecurely. Attackers can exploit this to disclose internal files, execute remote code, or perform denial of service attacks.

<!-- Vulnerable code -->
<!DOCTYPE data [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<user>
  <name>&xxe;</name>
</user>

<!-- Secure code (disable external entity resolution) -->
<!DOCTYPE data [
  <!ENTITY % xxe SYSTEM "file:///etc/passwd">
  %xxe;
]>
<user>
  <name>John Doe</name>
</user>

PreviousSensitive Data Exposure NextBroken Access Control

Last updated 2 years ago