# XXE

#### Tools recognizing this:

<kbd>Opengrep</kbd> <kbd>Fortify</kbd> <kbd>Checkmarx</kbd> <kbd>SonarQube</kbd> <kbd>Snyk</kbd> <kbd>Semgrep</kbd> <kbd>CodeQL</kbd>

## What is XXE Injection

XML External Entity (XXE) Injection is a web security vulnerability that occurs when an application processes XML input containing references to external entities without proper validation or restrictions.

An attacker can exploit XXE vulnerabilities to achieve various malicious goals:

* Read sensitive files from the application server
* Perform Server-Side Request Forgery (SSRF)
* Execute denial of service attacks
* In some cases, achieve remote code execution
* Scan internal networks and ports

## One Simple Example

Consider this example of XML processing:

{% code overflow="wrap" %}

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>
```

{% endcode %}

When processed by a vulnerable XML parser, this payload:<mark style="color:red;">`<!ENTITY xxe SYSTEM "file:///etc/passwd">`</mark>will result in the content of the <kbd><mark style="color:red;">/etc/passwd<mark style="color:red;"></kbd> file being read and returned to the attacker.

This allows the attacker to read sensitive system files that should not be accessible.

## Real-world Occurrences of XXE Injection

#### Facebook XXE Vulnerability (2014)

Facebook's "Forgot your password?" functionality was found to be vulnerable to [XXE injection](https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution). An attacker could read arbitrary files from Facebook's servers, and potentially run arbirary code. The vulnerability occurred because the XML parser used to process user-supplied XML data had external entity processing enabled. Facebook fixed the issue through their [bug bounty program](https://www.facebook.com/BugBounty/posts/778897822124446) before any known exploitation.

#### Uber XXE Vulnerability (2016)

A security researcher identified an [XXE vulnerability](https://threatpost.com/uber-com-backup-bug-nets-researcher-9k/123370/) in a third-party backup software utilized by Uber. This flaw allowed unauthorized access to internal files. The vulnerability could have given an attacker access to the user backup data of any company using the software, including Uber. Uber fixed the issue through their bug bounty program before any known exploitation.

## Fixing XXE Injections

The most effective way to prevent XXE attacks is to disable XML external entity and DTD processing in your XML parser configuration.

Different XML parsers have different methods to disable these features, but the general principle is to turn off support for external entities and DTD processing entirely unless absolutely necessary. If DTD processing is required, external entities should still be disabled.

### Code Samples

{% tabs %}
{% tab title="Java" %}
**Vulnerable Code**

```java
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = df.newDocumentBuilder();
Document doc = builder.parse(new InputSource(reader));
```

**Fixed Code**

```java
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
df.setFeature("http://xml.org/sax/features/external-general-entities", false);
df.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder builder = df.newDocumentBuilder();
Document doc = builder.parse(new InputSource(reader));
```

**Fix Explanation**

The vulnerable code uses default XML parser settings which allow external entities.\
The fix explicitly disables DOCTYPE declarations and external entities.\
Additional security features are enabled to prevent XXE attacks.\
The XML parser will now reject any attempts to use external entities.
{% endtab %}

{% tab title="Python" %}
**Vulnerable Code**

```python
from xml.etree.ElementTree import parse
tree = parse(xmlSource)
```

**Fixed Code**

```python
from defusedxml.ElementTree import parse
from defusedxml.ElementTree import DefusedXMLParser

parser = DefusedXMLParser(forbid_dtd=True)
tree = parse(xmlSource, parser=parser)
```

**Fix Explanation**

The vulnerable code uses the standard XML parser which is vulnerable to XXE.\
The fix uses the defusedxml library, which is specifically designed to prevent XML attacks.\
DTD processing is explicitly forbidden.\
The parser will safely handle XML input without allowing external entities.
{% endtab %}

{% tab title="PHP" %}
**Vulnerable Code**

```php
$xml = simplexml_load_string($xmlStr);
$dom = new DOMDocument();
$dom->loadXML($xmlStr);
```

**Fixed Code**

```php
libxml_disable_entity_loader(true);
$xml = simplexml_load_string($xmlStr, 'SimpleXMLElement', LIBXML_NOENT | LIBXML_NOCDATA);

$dom = new DOMDocument();
$dom->loadXML($xmlStr, LIBXML_NOENT | LIBXML_NOCDATA);
```

**Fix Explanation**

The vulnerable code processes XML without any security controls.\
The fix disables external entity loading using libxml\_disable\_entity\_loader().\
Additional flags are used to control XML parsing behavior.\
External entities and potentially dangerous features are disabled.
{% endtab %}

{% tab title="C#" %}
**Vulnerable Code**

```csharp
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(xmlFile);
```

**Fixed Code**

```csharp
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
settings.XmlResolver = null;

XmlReader reader = XmlReader.Create(xmlFile, settings);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(reader);
```

**Fix Explanation**

The vulnerable code uses default XML processing settings.\
The fix explicitly prohibits DTD processing.\
The XML resolver is set to null to prevent external entity resolution.\
The XML document is loaded using secure settings.
{% endtab %}

{% tab title="Node.js" %}
**Vulnerable Code**

```javascript
const xml2js = require('xml2js');
const parser = new xml2js.Parser();
parser.parseString(xml);
```

**Fixed Code**

```javascript
const xml2js = require('xml2js');
const parser = new xml2js.Parser({
  explicitEntities: false,
  ignoreEntities: true
});
parser.parseString(xml);
```

**Fix Explanation**

The vulnerable code uses default parser settings which may process entities.\
The fix explicitly disables entity processing.\
Additional security options are set to ignore entities.\
The parser will safely handle XML without processing external entities.
{% endtab %}

{% tab title="Ruby" %}
**Vulnerable Code**

```ruby
require 'nokogiri'
doc = Nokogiri::XML(xml_input)
```

**Fixed Code**

```ruby
require 'nokogiri'
doc = Nokogiri::XML(xml_input) { |config|
  config.options = Nokogiri::XML::ParseOptions::NONET |
                  Nokogiri::XML::ParseOptions::NOENT
}
```

**Fix Explanation**

The vulnerable code uses default Nokogiri settings which may be unsafe.\
The fix disables network access and entity expansion.\
ParseOptions are used to control XML processing behavior.\
The parser will safely handle XML without allowing external entities.
{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mobb.ai/mobb-user-docs/fixing-guides/xxe-fix-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.