XML EXTERNAL EXTITY (XXE)

XXE Injection occurs when unsanitized user-controlled XML input allows attackers to exploit XML features for malicious actions, potentially harming web applications and back-end servers. attackers who are able to define external entities can eventually reference local files from the back-end server and display their content leading to information disclosure.

URI SCHEMES

MITIGATION

XXE vulnerabilities mainly occur when an unsafe XML input references an external entity.

• avoid outdated XML libraries that parses the XML data

• Use safe XML configurations

  • Disable referencing custom Document Type Definitions (DTDs)

  • Disable referencing External XML Entities

  • Disable Parameter Entity processing

  • Disable support for XInclude

  • Prevent Entity Reference Loops

• always have proper exception handling in webapps and always disable displaying runtime errors.

• implement Web Application Firewalls (WAFs)