Skip to main content

XXE Injection

Description

External entities is an element of XML documents, and attackers may replace the entity value with malicious data, alternate referrals, or compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services download malicious code or content on the server for use in secondary or follow up attacks.

Remediation

To safely prevent XXE attacks, always disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Disabling DTDs also helps secure the parser against Denial of Services attacks such as Billion Laughs.

If it is not possible to disable DTDs completely, disable external entities and external document type declarations in the way that's specific to each parser.

GraphQL Specific

Apollo

To prevent XXE in Apollo Server, ensure that any XML parsing, or libraries that parse XML, are configured to disallow the processing of external entities.

Yoga

In Yoga, disable external entity processing in XML parsing to mitigate XXE risks.

Awsappsync

For AWS AppSync, avoid using any XML parsing libraries that do not allow you to disable external entities. If you must parse XML, configure the parser to disable external entities.

Graphqlgo

When using GraphQL with Go, ensure that your XML parser library is configured to ignore DOCTYPE and external entities.

Graphqlruby

In GraphQL-Ruby, ensure that XML parsing is done with external entity processing disabled.

Hasura

For Hasura, it's important to validate and sanitize any user-supplied XML before processing and to configure the XML parser to disable external entities.

REST Specific

Asp.net

In ASP.NET, use XmlReaderSettings with DtdProcessing set to Prohibit to prevent XXE.

Ruby on rails

For Ruby on Rails applications, use Nokogiri with strict configuration to prevent XXE attacks.

Next.js

In Next.js, ensure that any server-side XML parsing disallows the processing of external entities.

Laravel

Laravel should use libxml settings to disable external entities when parsing XML.

Express.js

For Express.js, use body-parser-xml and configure it to reject external entities.

Django

In Django, use defusedxml to parse XML and prevent XXE attacks.

Symfony

Symfony applications should use the DOMDocument class with proper configuration to prevent XXE.

Spring boot

For Spring Boot, configure XMLInputFactory to prevent XXE attacks.

Flask

In Flask, use lxml with proper configuration to parse XML and prevent XXE.

Nuxt

Nuxt.js applications should ensure server-side XML parsing libraries are configured to prevent XXE.

Configuration

Identifier: injection/xxe

Examples

Ignore this check

{
"checks": {
"injection/xxe": {
"skip": true
}
}
}

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API10:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC6.1
  • psd2: Article-32
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
  • CVSS_SCORE: 6.8

References