XXE Attack
What is XXE Attack?
XXE AttackAn attack against XML parsers that abuses external entity resolution to read files, scan internal networks, or trigger denial of service.
An XML External Entity (XXE) attack exploits XML parsers that resolve DTD-declared external entities by default. By submitting a document containing a DOCTYPE that references file:// or http:// URIs, an attacker can force the parser to read local files (such as /etc/passwd), perform Server-Side Request Forgery against internal services, or exhaust resources with billion-laughs-style entity expansion. Blind XXE leaks data via DNS or out-of-band HTTP requests when responses are not echoed. Defences are disabling DTD and external entity processing in every parser, preferring JSON or strict XML libraries with safe defaults, and validating uploaded XML against a tight schema.
● Examples
- 01
An XML document with <!ENTITY xxe SYSTEM "file:///etc/passwd"> that exfiltrates the password file via a reflected response.
- 02
A blind XXE payload that triggers a DNS lookup to an attacker-controlled server to confirm reachability of internal hosts.
● Frequently asked questions
What is XXE Attack?
An attack against XML parsers that abuses external entity resolution to read files, scan internal networks, or trigger denial of service. It belongs to the Attacks & Threats category of cybersecurity.
What does XXE Attack mean?
An attack against XML parsers that abuses external entity resolution to read files, scan internal networks, or trigger denial of service.
How do you defend against XXE Attack?
Defences for XXE Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for XXE Attack?
Common alternative names include: XML External Entity attack.