# XML External Entity (XXE) Injection

## Overview

XML external entity injection (XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by an application.

For example, if an application is vulnerable to XXE, an attacker can retrieve the `/etc/passwd` file by submitting the following XXE payload:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>
```

This XXE payload defines an external entity `&xxe;` whose value is the contents of the `/etc/passwd` file and uses the entity within the `productId` value. This causes the application's response to include the contents of the `/etc/passwd` file.

You can find more details at [PortSwigger Web Security Academy: XML external entity (XXE) injection](https://portswigger.net/web-security/xxe).

This page contains recommendations for the implementation of protection against XML External Entity (XXE) injection attacks.

## General

<div align="left"><img src="https://1795604890-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaH8j4W1MtabOUlUc8Trn%2Fuploads%2Fgit-blob-b41291c03c4de901e1f0faa235c5ad68838b2947%2Ftype-base-icon.svg?alt=media" alt=""></div>

* Disable DTDs (external entities) completely.
* If it is not possible to disable DTDs (external entities) completely, disable external entities and external document type declarations.
* Use up-to-date XML parsers that are actively maintained by a community or its authors.

## Disabling DTDs (external entities)

Disabling DTDs (external entities) depends on the XML parser being used. You can find prevention guidance for many languages and commonly used XML parsers in those languages at the following link [OWASP Cheat Sheet Series: XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html).

{% tabs %}
{% tab title="Go" %}
Use the [encoding/xml](https://pkg.go.dev/encoding/xml) package to work with XML in Go. Go's XML decoder does not process XML DTDs (external entities), therefore, it is protected against XXE by default.

```go
import (
    "encoding/xml"
)

func handler(w http.ResponseWriter, r *http.Request) {
    decoder := xml.NewDecoder(r.Body)
    for {
        token, err := decoder.Token()
    // ...
    }
}
```

{% endtab %}
{% endtabs %}

## References

* [OWASP Cheat Sheet Series: XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/xml-external-entity-xxe-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.