Skip to main content


Home XML Injection

XML Injection

(also XML code injection)

XML Injection definition

XML Injection is a cyber attack that exploits vulnerabilities in web applications' handling of XML data. Hackers insert malicious code into the app's input fields, such as forms, URLs, or cookies. The intention of such an invasion is to manipulate the program's XML data processing functions.

See also: XML external entity, XPath injection

The history of XML Injection

In the late 1990s, cybercriminals started exploiting XML-based code injection techniques to compromise web applications. By injecting hostile code, attackers could manipulate the app's data processing and execute unauthorized actions.

Around the mid-2000s, XML Injection attacks became more prevalent. They targeted a wide range of web programs: from simple content management systems to complex enterprise portals. Attackers leveraged XML Injection to gain unauthorized access to sensitive data, disrupt services, and deface websites.

In response to the expanding cyber threat landscape, security communities collaborated to share knowledge and best practices for preventing XML Injection attacks. This led to the development of secure coding guidelines. They protect applications from XML Injection and enhance overall cybersecurity.