👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  • Disabling DTDs (external entities)
  • References
  1. Web Application
  2. Vulnerability Mitigation

XML External Entity (XXE) Injection

PreviousSQL Injection (SQLi)

Last updated 1 year ago

Overview

XML external entity injection (XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by an application.

For example, if an application is vulnerable to XXE, an attacker can retrieve the /etc/passwd file by submitting the following XXE payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value. This causes the application's response to include the contents of the /etc/passwd file.

You can find more details at .

This page contains recommendations for the implementation of protection against XML External Entity (XXE) injection attacks.

General

  • Disable DTDs (external entities) completely.

  • If it is not possible to disable DTDs (external entities) completely, disable external entities and external document type declarations.

  • Use up-to-date XML parsers that are actively maintained by a community or its authors.

Disabling DTDs (external entities)

import (
    "encoding/xml"
)

func handler(w http.ResponseWriter, r *http.Request) {
    decoder := xml.NewDecoder(r.Body)
    for {
        token, err := decoder.Token()
    // ...
    }
}

References

Disabling DTDs (external entities) depends on the XML parser being used. You can find prevention guidance for many languages and commonly used XML parsers in those languages at the following link .

Use the package to work with XML in Go. Go's XML decoder does not process XML DTDs (external entities), therefore, it is protected against XXE by default.

OWASP Cheat Sheet Series: XML External Entity Prevention Cheat Sheet
encoding/xml
OWASP Cheat Sheet Series: XML External Entity Prevention Cheat Sheet
PortSwigger Web Security Academy: XML external entity (XXE) injection