XML external entity (XXE)
XML external entity (XXE)
(also XXE, XML external entity injection, XML external entity attack, XXE attack)
XML external entity definition
XML external entity (or XXE) is a cyberattack during which an attacker interferes with the processing of XML data within the web app. The attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser (reader).
Types of XML external entity attacks
- In-band. In-band XXE attacks let the attacker receive an immediate response to the XXE payload and are more common.
- Out-of-band. With out-of-band XXE attacks (or blind XXE), there is no immediate response from the web application.
Real-life XML external entity attack examples
- In 2017, research by Check Point found vulnerabilities in Android development and reverse-engineering tools, which are popular among engineers, developers, and researchers. Issues found could have led to sensitive data exposure and malicious users taking over devices running APKTool (a tool for reverse-engineering apps).
Preventing XXE attacks
- Manually disable DTDs (external entities).
- Insert checkpoints in specific parts of your code to monitor runtime execution.
- Use security tools like dynamic application security testing (DAST) or web application firewalls (WAF).
- Harden configuration against XXE – limit permissions, handle errors, validate all inputs, use encryption and authentication, and limit outbound traffic and DNS communications.