External entities is an element of XML documents, and attackers may replace the entity value with malicious data, alternate referrals, or compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services download malicious code or content on the server for use in secondary or follow up attacks.
To safely prevent XXE attacks, always disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:
Disabling DTDs also helps secure the parser against Denial of Services attacks such as Billion Laughs.
If it is not possible to disable DTDs completely, disable external entities and external document type declarations in the way that's specific to each parser.
To prevent XXE in Apollo Server, ensure that any XML parsing, or libraries that parse XML, are configured to disallow the processing of external entities.
In Yoga, disable external entity processing in XML parsing to mitigate XXE risks.
For AWS AppSync, avoid using any XML parsing libraries that do not allow you to disable external entities. If you must parse XML, configure the parser to disable external entities.
When using GraphQL with Go, ensure that your XML parser library is configured to ignore DOCTYPE and external entities.
In GraphQL-Ruby, ensure that XML parsing is done with external entity processing disabled.
For Hasura, it's important to validate and sanitize any user-supplied XML before processing and to configure the XML parser to disable external entities.
In ASP.NET, use XmlReaderSettings with DtdProcessing set to Prohibit to prevent XXE.
Ruby on rails
For Ruby on Rails applications, use Nokogiri with strict configuration to prevent XXE attacks.
In Next.js, ensure that any server-side XML parsing disallows the processing of external entities.
Laravel should use libxml settings to disable external entities when parsing XML.
For Express.js, use body-parser-xml and configure it to reject external entities.
In Django, use defusedxml to parse XML and prevent XXE attacks.
Symfony applications should use the DOMDocument class with proper configuration to prevent XXE.
For Spring Boot, configure XMLInputFactory to prevent XXE attacks.
In Flask, use lxml with proper configuration to parse XML and prevent XXE.
Nuxt.js applications should ensure server-side XML parsing libraries are configured to prevent XXE.
Ignore this check
- Escape Severity: HIGH
- OWASP: API10:2023
- pci: 6.5.1
- gdpr: Article-32
- soc2: CC6.1
- psd2: Article-32
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-4
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
- CVSS_SCORE: 6.8