Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is XXE Injection
  • One Simple Example
  • Real-world Occurrences of XXE Injection
  • Fixing XXE Injections
  • Code Samples

Was this helpful?

  1. Fixing Guides

XXE

Learn how to prevent XML External Entity (XXE) Injection attacks with examples, cheat sheets, and best practices. Protect your web server from vulnerabilities and security threats.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is XXE Injection

XML External Entity (XXE) Injection is a web security vulnerability that occurs when an application processes XML input containing references to external entities without proper validation or restrictions.

An attacker can exploit XXE vulnerabilities to achieve various malicious goals:

  • Read sensitive files from the application server

  • Perform Server-Side Request Forgery (SSRF)

  • Execute denial of service attacks

  • In some cases, achieve remote code execution

  • Scan internal networks and ports

One Simple Example

Consider this example of XML processing:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

When processed by a vulnerable XML parser, this payload:<!ENTITY xxe SYSTEM "file:///etc/passwd">will result in the content of the /etc/passwd file being read and returned to the attacker.

This allows the attacker to read sensitive system files that should not be accessible.

Real-world Occurrences of XXE Injection

Facebook XXE Vulnerability (2014)

Uber XXE Vulnerability (2016)

Fixing XXE Injections

The most effective way to prevent XXE attacks is to disable XML external entity and DTD processing in your XML parser configuration.

Different XML parsers have different methods to disable these features, but the general principle is to turn off support for external entities and DTD processing entirely unless absolutely necessary. If DTD processing is required, external entities should still be disabled.

Code Samples

Vulnerable Code

DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = df.newDocumentBuilder();
Document doc = builder.parse(new InputSource(reader));

Fixed Code

DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
df.setFeature("http://xml.org/sax/features/external-general-entities", false);
df.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder builder = df.newDocumentBuilder();
Document doc = builder.parse(new InputSource(reader));

Fix Explanation

The vulnerable code uses default XML parser settings which allow external entities. The fix explicitly disables DOCTYPE declarations and external entities. Additional security features are enabled to prevent XXE attacks. The XML parser will now reject any attempts to use external entities.

Vulnerable Code

from xml.etree.ElementTree import parse
tree = parse(xmlSource)

Fixed Code

from defusedxml.ElementTree import parse
from defusedxml.ElementTree import DefusedXMLParser

parser = DefusedXMLParser(forbid_dtd=True)
tree = parse(xmlSource, parser=parser)

Fix Explanation

The vulnerable code uses the standard XML parser which is vulnerable to XXE. The fix uses the defusedxml library, which is specifically designed to prevent XML attacks. DTD processing is explicitly forbidden. The parser will safely handle XML input without allowing external entities.

Vulnerable Code

$xml = simplexml_load_string($xmlStr);
$dom = new DOMDocument();
$dom->loadXML($xmlStr);

Fixed Code

libxml_disable_entity_loader(true);
$xml = simplexml_load_string($xmlStr, 'SimpleXMLElement', LIBXML_NOENT | LIBXML_NOCDATA);

$dom = new DOMDocument();
$dom->loadXML($xmlStr, LIBXML_NOENT | LIBXML_NOCDATA);

Fix Explanation

The vulnerable code processes XML without any security controls. The fix disables external entity loading using libxml_disable_entity_loader(). Additional flags are used to control XML parsing behavior. External entities and potentially dangerous features are disabled.

Vulnerable Code

XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(xmlFile);

Fixed Code

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
settings.XmlResolver = null;

XmlReader reader = XmlReader.Create(xmlFile, settings);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(reader);

Fix Explanation

The vulnerable code uses default XML processing settings. The fix explicitly prohibits DTD processing. The XML resolver is set to null to prevent external entity resolution. The XML document is loaded using secure settings.

Vulnerable Code

const xml2js = require('xml2js');
const parser = new xml2js.Parser();
parser.parseString(xml);

Fixed Code

const xml2js = require('xml2js');
const parser = new xml2js.Parser({
  explicitEntities: false,
  ignoreEntities: true
});
parser.parseString(xml);

Fix Explanation

The vulnerable code uses default parser settings which may process entities. The fix explicitly disables entity processing. Additional security options are set to ignore entities. The parser will safely handle XML without processing external entities.

Vulnerable Code

require 'nokogiri'
doc = Nokogiri::XML(xml_input)

Fixed Code

require 'nokogiri'
doc = Nokogiri::XML(xml_input) { |config|
  config.options = Nokogiri::XML::ParseOptions::NONET |
                  Nokogiri::XML::ParseOptions::NOENT
}

Fix Explanation

The vulnerable code uses default Nokogiri settings which may be unsafe. The fix disables network access and entity expansion. ParseOptions are used to control XML processing behavior. The parser will safely handle XML without allowing external entities.

PreviousXSSNextServer Side Request Forgery

Last updated 2 months ago

Was this helpful?

Facebook's "Forgot your password?" functionality was found to be vulnerable to . An attacker could read arbitrary files from Facebook's servers, and potentially run arbirary code. The vulnerability occurred because the XML parser used to process user-supplied XML data had external entity processing enabled. Facebook fixed the issue through their before any known exploitation.

A security researcher identified an in a third-party backup software utilized by Uber. This flaw allowed unauthorized access to internal files. The vulnerability could have given an attacker access to the user backup data of any company using the software, including Uber. Uber fixed the issue through their bug bounty program before any known exploitation.

XXE injection
bug bounty program
XXE vulnerability