What is XML External Entity XXE?

Understanding XML External Entity XXE

A type of attack that exploits how some XML processors validate or parse XML input. XXE is a vulnerability where XML processors evaluate external entity references within XML documents allowing attackers to access unauthorized files execute remote code perform server-side request forgery or launch denial of service attacks. The vulnerability stems from insecure default configurations in many XML parsers and inadequate input validation. XXE vulnerabilities are documented in OWASP Top 10 CWE-611 and various application security standards. Organizations prevent XXE through secure XML parsing configuration input validation and proper handling of user-supplied XML. For example a web application development team might protect against XXE attacks by disabling external entity processing and DTD parsing in all XML parsers validating and sanitizing all XML input implementing XML parsing libraries specifically designed with security in mind creating an allowlist of permitted entities when external references are necessary and routinely testing applications with XXE-specific security tools to verify protections are effective. Related terms XML injection XML parsing OWASP Top 10 API security External entity DOCTYPE declaration Document Type Definition DTD Server-side request forgery SSRF File disclosure Entity expansion.