XML external entity or XXE is a web vulnerability that enables threat actors to mess with an application’s XML data processing. XML stands for “Extensible Markup Language,” a plaintext file format for storing and transporting data over the Internet.

An e-commerce platform, for example, may use XML to define product listings and specify each product’s description, price, and shipping details. This data can be sourced from an external file, and the weakness lies there.

XML external entity attacks, also known as “XML external entity injection,” take advantage of an XML feature that allows an application to read external files. Attackers may use it to read and retrieve internal files, launch denial-of-service (DoS) attacks, perform port scanning, and other dangerous exploits.

Other interesting terms…

Read More about “XML External Entity

For threat actors, exploiting XML external entity attacks can be straightforward. In the same way, the vulnerability can be detected easily. Several years ago, Twitter awarded US$10,800 to a bug bounty hunter who discovered this vulnerability that allowed threat actors to read local files.

However, you need to learn a few concepts before grasping the basics of an XML external entity attack. We’ll explain more in the succeeding sections.

What Is XML?

XML is a computer language that allows you to create your own tags such that both humans and machines can read them. It is used to sort information, which would then be displayed by another computer language, such as Java or  HyperText Markup Language (HTML).

You can watch the video below to learn the basics of XML.

Below is an example of XML data that stores product details. It has the product name, stock-keeping unit (SKU), price, and other pertinent information.

example of XML data that stores product details

Screenshot of https://searchspring.zendesk.com/hc/en-us/articles/201185089-Sample-XML-Data-Feed

What Are XML External Entity Attacks?

In the sample XML data above, some parts reference an external file or location. These are the product URL and thumbnail. XML external entity attacks take advantage of this ability. How?

The simplest and most common exploit is when an attacker uses the feature to read local files. The example above, for instance, counts the number of stocks. This is expressed using the line near the bottom of the screenshot that reads:

<Invetory_Count>21</Inventory_Count>

If the online shopping platform doesn’t have protection against XML external entity attacks, threat actors can retrieve the local password file by submitting the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<Invetory_Count>xxe</Inventory_Count>

The request for the password file is hidden behind the inventory count query.

How Do XML External Entity Vulnerabilities Arise?

The vulnerability often lies in the XML parser or software applications that transmit and process XML data between the browser and the server. Most XML parsers support the ability to reference external files or entities.

What Are the Effects of XML External Entity Attacks?

There are many ways threat actors can launch XML external entity attacks. Regardless of the method, below are some of their negative consequences.

  • Attackers can retrieve and transmit sensitive files from the web server.
  • The vulnerability can be used to perform server-side request forgery (SSRF), a serious form of attack where threat actors communicate with the organization’s back-end systems as if they are a trusted entity.
  • Attackers can execute malicious code on the victim’s server.
  • The attack can lead to a DoS attack, where the attacker overloads the target server with requests. 
  • Threat actors can perform port scanning through an XML external entity attack, allowing them to map the victim’s network.

How Do You Prevent an XML External Entity Attack?

Here are some recommendations on preventing threat actors from exploiting XML external entity.

  • Filter user-provided inputs to detect malicious code or unauthorized requests for files.
  • Whitelist input to ensure that only valid inputs make their way into your system.
  • Disable external entity support in your XML parser.

XML external entity attack prevention boils down to keeping users from defining entities through their inputs and ensuring that your XML parser doesn’t have the vulnerability.

XML external entity is a common feature that has become an entry point for threat actors to launch data theft and other attacks. It has severe repercussions, but it can easily be detected and prevented.