Skip to content

XXE Injection

Description

External entities is an element of XML documents, and attackers may replace the entity value with malicious data, alternate referrals, or compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services download malicious code or content on the server for use in secondary or follow up attacks.

Remediation

To safely prevent XXE attacks, always disable DTDs (External Entities) completely. Disabling DTDs also helps secure the parser against Denial of Services attacks such as Billion Laughs. If it is not possible to disable DTDs completely, disable external entities and external document type declarations in the way that's specific to each parser.

GraphQL Specific

Apollo To mitigate XXE (XML External Entity) injection vulnerabilities in the Apollo framework engine, ensure that any XML parsing libraries or components are configured to disallow the processing of external entities. Set features like 'disallow-doctype-decl' to true, and if possible, use less complex data formats such as JSON. Always validate and sanitize input to prevent malicious data from being processed. Additionally, keep all dependencies up-to-date to incorporate security patches that prevent XXE attacks.
Yoga To prevent XXE (XML External Entity) injection attacks in the Yoga framework engine, ensure that XML parsing is configured to disallow the processing of external entities. This can typically be achieved by setting features like 'disallow-doctype-decl' to true and 'external-general-entities' as well as 'external-parameter-entities' to false on the XML parser. Additionally, consider using less complex data formats such as JSON, and employ security-conscious libraries that are less susceptible to XXE attacks. Always keep the framework and its dependencies up to date with the latest security patches.
Awsappsync To mitigate XXE (XML External Entity) injection vulnerabilities in AWS AppSync, ensure that the XML parsing library or framework in use is configured to disallow the processing of external entities. Set features like 'disallow-doctype-decl' to true, and disable external DTDs and external entity processing. Regularly update your XML parsers to the latest versions to incorporate security fixes. Additionally, implement input validation to reject XML documents containing DOCTYPE declarations or any suspicious XML constructs. As a best practice, consider using less complex data formats such as JSON that are less susceptible to XXE attacks.
Graphqlgo To mitigate XXE (XML External Entity) injection vulnerabilities in a GraphQL Go framework engine, ensure that any XML parsing library or functionality used within the GraphQL resolvers is configured to disallow the processing of external entities. This can typically be achieved by setting the appropriate parser flags or options to disable DTDs (Document Type Definitions), external entities, and external doctype declarations. Additionally, always validate and sanitize input to prevent malicious data from being processed, and consider implementing a content security policy that restricts the sources from which external content can be loaded.
Graphqlruby To mitigate XXE (XML External Entity) injection vulnerabilities in a GraphQL Ruby framework, ensure that any XML parsing libraries or methods used within the application are configured to disallow the processing of external entities. Set options such as 'XML::XXE::Parser.default_options' to non-permissive values that prevent the expansion of external entities. Additionally, consider using a whitelist approach to filter out potentially malicious document type definitions (DTDs) and always validate and sanitize input to prevent the introduction of malicious XML content.
Hasura To mitigate XXE (XML External Entity) injection vulnerabilities in the Hasura framework, ensure that any XML parsing libraries or processors used by the engine are configured to disallow the processing of external entities. Additionally, always validate and sanitize input to reject any XML or JSON that contains unexpected or unnecessary data. Keep the Hasura engine and all its dependencies up to date with the latest security patches.
Agoo Disable external entity processing in the XML parser configuration of the Agoo framework engine to prevent XXE attacks.
Ariadne Disable external entity processing in the Ariadne framework's XML parser to prevent XXE attacks.
Caliban Disable external entity processing in the Caliban framework engine to prevent XXE attacks.
Dgraph Disable external entity processing in the XML parser configuration to prevent XXE attacks in the Dgraph framework engine.
Dianajl Disable external entity processing in the XML parser configuration of the DianaJL framework engine to prevent XXE attacks.
Directus Disable external entity processing in XML parsers used by the Directus framework to prevent XXE attacks.
Flutter Ensure that XML parsers in the Flutter framework engine are configured to disable external entity processing to prevent XXE vulnerabilities.
Graphene Disable external entity processing in the XML parser configuration for the Graphene framework engine to prevent XXE attacks.
Graphqlapiforwp Disable XML external entity (XXE) processing in the GraphQL API for WP framework engine to prevent malicious data injection and unauthorized access.
Graphqlgophergo Disable XML external entity (XXE) processing in the GraphQL Gopher-Go framework by configuring the XML parser to disallow external entities.
Graphqljava Disable external entity processing in the XML parser configuration to prevent XXE vulnerabilities in the GraphQL Java framework.
Graphqlphp Disable XML external entity (XXE) processing in the GraphQL-PHP framework by configuring the XML parser to not process external entities, or use a library that does not support XXE by default.
Graphqlyoga Disable XML external entity (XXE) processing in the GraphQL Yoga framework by configuring the XML parser to not resolve external entities.
Hypergraphql Disable external entity processing in XML parsers used by the HyperGraphQL framework to prevent XXE attacks.
Jaal Disable external entity processing in the XML parser configuration to prevent XXE attacks in the Jaal framework engine.
Juniper Disable external entity processing in XML parsers used by the Juniper framework engine to prevent XXE attacks.
Lacinia Disable external entity processing in the Lacinia framework to prevent XXE attacks.
Lighthouse Disable external entity processing in XML parsers to prevent XXE attacks.
Mercurius Disable external entity processing in the XML parser configuration to prevent XXE vulnerabilities in the Mercurius framework engine.
Morpheusgraphql Disable external entity processing in the XML parser configuration of the MorpheusGraphQL framework engine to prevent XXE attacks.
Qglgen Disable XML external entity (XXE) processing in the gqlgen framework by configuring the XML parser to disallow external entities.
Sangria Disable external entity processing in the XML parser configuration for the Sangria framework engine to prevent XXE attacks.
Shopify Disable external entity processing in the Shopify Liquid template engine to prevent XXE attacks.
Stepzen Disable external entity processing in the StepZen framework by configuring the XML parser to disallow DOCTYPE declarations and external entities.
Strawberry Disable external entity processing in the Strawberry Framework engine to prevent XXE attacks.
Tartiflette Ensure proper validation and sanitization of XML input to prevent XXE attacks in the Tartiflette framework.
Wpgraphql Disable XML external entity (XXE) processing in the WPGraphQL framework to prevent malicious data injection and ensure secure handling of XML documents.

REST Specific

Asp_net In ASP.NET, to prevent XXE (XML External Entity) injection attacks, ensure that your XML parsing is configured to disallow the processing of external entities. You can achieve this by setting the XmlReaderSettings.DtdProcessing property to DtdProcessing.Prohibit and creating an XmlReader instance with these settings. Additionally, avoid using XmlDocument and XmlTextReader unless you explicitly set their XmlResolver property to null. Always validate input and consider using secure coding practices such as encoding output and employing the principle of least privilege for your application's permissions.
Ruby_on_rails In Ruby on Rails, ensure that XML parsing is configured to disallow the use of external entities. Set the 'XML::XXE' option to false when using libraries like Nokogiri for XML parsing, and avoid calling 'document.parse' with untrusted data. Additionally, consider using a safe parsing option like 'REXML::Document.new(xml, { safe: true })' to mitigate XXE risks.
Next_js To prevent XXE Injection attacks in a Next.js application, ensure that any XML parsing library you use is configured to disallow the processing of external entities. Additionally, always validate and sanitize input data to restrict the inclusion of potentially malicious content.
Laravel In Laravel, disable XML external entity (XXE) processing in your XML parsing library or use a secure, modern library that is not vulnerable to XXE attacks. Additionally, ensure that any user-supplied XML or JSON is properly validated and sanitized before processing. Set the 'libxml_disable_entity_loader' function to true to prevent XXE in older PHP versions, and avoid using the 'simplexml_load_string' or 'DOMDocument::loadXML' functions with external entities. Always keep your Laravel framework and its dependencies up to date with the latest security patches.
Express_js To mitigate XXE (XML External Entity) injection attacks in Express.js applications, ensure that any XML parsing library you use is configured to disallow the processing of external entities. Set the 'xml2js' parser option 'explicitCharkey' to false and 'resolveEntities' to false. Additionally, disable DTDs (Document Type Definitions) by setting the 'xml2js' option 'disallowDoctype' to true. Always validate and sanitize input data rigorously, and consider using a less complex data format like JSON that is not susceptible to XXE attacks.
Django In Django, ensure that any XML parsing libraries or functions are configured to not resolve external entities. Use defusedxml, which is a Python package that provides a safer version of the standard XML libraries with protections against various XML attacks, including XXE. Always keep your Django framework and its dependencies up-to-date to benefit from the latest security patches.
Symfony In Symfony, to prevent XXE (XML External Entity) injection attacks, disable the loading of external entities in the libxml library by setting the 'LIBXML_NOENT' flag to 'false'. Use the 'disableEntityLoader' method if available, or ensure that any XML parsing libraries or components used in the framework are configured to not resolve external entities. Additionally, validate and sanitize all input data rigorously.
Spring_boot In Spring Boot applications, to prevent XXE Injection attacks, ensure that your XML processing libraries, such as JAXB, are configured to not resolve external entities. Set the 'FEATURE_SECURE_PROCESSING' feature to true on DocumentBuilderFactory, SAXParserFactory, and XMLReader instances. Additionally, disable support for external entities and DTDs by setting the 'disallow-doctype-decl' feature to true. Always validate and sanitize input, and consider using less complex data formats like JSON that are not susceptible to XXE attacks.
Flask In Flask applications, to prevent XXE (XML External Entity) attacks, ensure that any XML parsing libraries are configured to disallow the processing of external entities. For example, when using lxml, you can disable external entity processing by setting the 'no_network' and 'resolve_entities' options to False. Additionally, use defusedxml, which is a safer XML parsing library that prevents XXE by default. Always validate and sanitize input to ensure it does not contain unexpected or malicious data before processing it.
Nuxt In Nuxt.js, to prevent XXE (XML External Entity) injection attacks, ensure that any XML parsing library you use is configured to disallow the processing of external entities. Additionally, avoid serializing untrusted data to XML and use safe data handling libraries that are designed to resist XXE attacks. Always keep your dependencies up-to-date to incorporate security patches.
Fastapi In FastAPI, to prevent XXE (XML External Entity) injection attacks, ensure that any XML parsing libraries are configured to disallow the processing of external entities. Additionally, use dependency injection to provide XML parsers with secure configurations, and avoid serializing sensitive data to XML when possible. Always validate and sanitize input to reject any XML or JSON that contains unexpected external entity references.
Frappe Disable XML external entity (XXE) processing in the Frappe framework by configuring the XML parser to disallow external entities and DTDs.
Genzio Disable external entity processing in the Genzio framework engine to prevent XXE attacks.
Gin Disable XML external entity (XXE) processing in the XML parser or use a secure XML parser that does not support external entities.
Gorilla Disable DTDs (Document Type Definitions) in the XML parser to prevent XXE attacks.
Hapi Disable XML external entity (XXE) processing in the Hapi framework by configuring the XML parser to disallow external entities.
Hono Disable external entity processing in the XML parser configuration to prevent XXE vulnerabilities in the Hono framework engine.
Jersey Disable DTDs (Document Type Definitions) in the Jersey framework to prevent XXE attacks by configuring the XML parser to disallow external entity resolution.
Koa Disable XML external entity (XXE) processing in the Koa framework by using a secure XML parser that does not process external entities, or by configuring the XML parser to disallow external entities.
Ktor Disable external entity processing in the XML parser configuration
Leptos Disable external entity processing in the XML parser configuration to prevent XXE vulnerabilities in the Leptos framework.
Macaron Disable external entity processing in the XML parser configuration to prevent XXE vulnerabilities in the Macaron framework.
Phoenix Disable external entity processing in XML parsers and use libraries that do not support external entities in the Phoenix framework.
Redwoodjs Disable XML external entity (XXE) processing in RedwoodJS by configuring the XML parser to disallow external entities and use secure libraries that do not process external entities by default.
Rocket Disable XML external entity (XXE) processing in the Rocket Framework engine to prevent malicious data injection and unauthorized access.
Sveltekit Disable XML external entity (XXE) processing in the SvelteKit framework by configuring the XML parser to not resolve external entities, or use a library that does not support external entities by default.

Configuration

Identifier: injection/xxe

Examples

Ignore this check

checks:
  injection/xxe:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-32
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 611

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
  • CVSS_SCORE: 6.8

References