XML External Entity (XXE) Injection
XXE exploits XML parsers that process external entity declarations. Attackers inject DOCTYPE definitions to read local files, perform SSRF, or exfiltrate data out-of-band. It affects any application that parses XML - including SAML, SVG, and office document uploads.
Attack State
Attacker
PROBING
XML Parser
IDLE
XML Payload (sent by attacker)
<?xml version="1.0"?>
<request>
<name>Alice</name>
</request>
Server Response
-
Prevention
How to fix
Disable external entity processing (FEATURE_EXTERNAL_GEs)
Use allowlist XML parsers (defusedxml in Python)
Prefer JSON over XML where possible
Patch parser libraries (libxml2, Xerces)
WAF rules blocking DOCTYPE declarations
Use allowlist XML parsers (defusedxml in Python)
Prefer JSON over XML where possible
Patch parser libraries (libxml2, Xerces)
WAF rules blocking DOCTYPE declarations
Event Log