๐ŸŒ Web Vulnerabilities

XML External Entity (XXE)

XML External Entity (XXE) is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Common Types of XXE Vulnerabilities

  • In-band XXE: The attacker uses the same communication channel to launch the attack and to gather the results.
  • Out-of-band (OOB) XXE: The attacker exfiltrates data through a different channel.

Prevention Methods

  • Disable External Entities: The most effective way to prevent XXE is to disable external entities altogether.
  • Use a Whitelist of Trusted Entities: If you cannot disable external entities, you can use a whitelist of trusted entities.
  • Sanitize User Input: If you cannot disable external entities or use a whitelist, you should sanitize all user-supplied input before it is passed to the XML parser.