External XML Entities (XXE) and how
they may impact your environment
Flaws based on external XML entities processing are typically the product of applications that
parse XML data having a weak security configuration. This may allow for external references
without filters for tainted input. Some of the results of such a situation could develop into a range of
outcomes from information leakage of sensitive data to denial of service and potentially even
remote code execution.
These vulnerabilities may manifest in some of the technology powering many of today’s websites.
Vulnerabilities may also be observed locally in applications processing many popular office file
formats. These newer file formats containing many XML references represent a potential platform
for targeted attacks within an organization.
Though many CVEs and advisories related to this issue have been generated around 2014 and
later, some of the first references go back to developer posts as early as 2001. Recently, XXE
has been the subject of many bug bounties awarding several thousands of dollars for discovered
vulnerabilities in popular sites like Facebook and Google.
What can happen with XXE
In the web app example, we explore how easy it can be to modify a legitimate request to exploit an
XXE vulnerability and the results that can be achieved against a vulnerable system.
One way a vulnerable system may be exploited is with an information disclosure by way of a local
file inclusion. By referencing internal system files that the application would have permission to
view within an entity statement, the file contents may be displayed within the response.
Another scenario shows an XML entity executing PHP functions with results returned within the
response. This may be helpful to an attacker in situations where they may be having issues
recovering the complete contents of files or having some other sort of egress issues.
A separate application of this vulnerability has us issuing requests that cause the victim server to
browse to remote locations that are provided in the entity statement. This could be utilized to have
the victim server utilize a remote document type definition (DTD), connect to a malicious location
or, as in the next example, be utilized as a port scanner.
During a successful attempt, we see that an error message is returned.
When we view our temporary web server, however, we do see a connection has been made. The
victim server has made a GET request to our malicious device on the specified port.
So a connection is being made, but how can a successful connection to a port be determined? A
look at the application behavior gives that answer in that the error messages received are actually
a bit varied and a negative result will actually read “Connection refused” within the error message.
The next example demonstrates resource exhaustion that may lead to a denial of service condition
on the victim server. By employing a method referred to as XML entity expansion (XEE), attackers
load a request with multiple short hand statements that the victim server will unpack and translate
Once the request is fully unpacked it will transform into so many individual elements that it may
slow down or halt the victim server. In the image below, we see that we are already causing
system errors with the size of the request causing extended backend processing. Adding an extra
couple of lines and even a longer string would begin to stress a vulnerable victim server even more
This form of attack goes beyond web servers processing XML content. Instances of XXE
vulnerabilities have also been discovered in the processing of certain file formats that contain XML
data . The danger from attacks utilizing this vector is that they may be utilized to augment a
social engineering campaign that targets specific personnel and the computing devices they utilize.
As this attack vector becomes more readily understood by a larger audience, it would seem to
follow that it will become more prevalent. Indeed, we see additional checks being implemented in
some popular security suites to aid professionals in identifying potential weaknesses. Any such
implementation definitely need to be followed up by manual validation by personnel familiar with
Things you can do
One of the more fundamental things that would need to be addressed to begin to mitigate XXE
threats is to limit the ability of the XML parsers in your environment from referencing external
document type definitions or disabling DTDs altogether.
There are also language specific directives that may be utilized to prevent processing of XML
definitions via methods that modify attributes or permissions to import external definition.