A4: XML External Entities (XXE) ❗️ — Top 10 OWASP 2017

A4:XML External Entities (XXE)

What is XXE attack?

An XXE attack occurs when malicious actors send off data in one of the XML formats they have control over (for example an XML upload, a SOAP request or even a DOCX file they can upload as they consist of XML documents after we extract them). The attacker can insert what’s called an external entity into an XML and call that entity in one of the nodes. This might cause the system to execute the external entity and for example execute code. We have shown an example below:

XXE Attack types

  • Retrieving files with the help of XXE
  • Performing SSRF attacks using XXE
  • Blind XXE attacks
  • Locating hidden attack surface for XXE attacks

How Can I Detect XML External Entities?

We should take to adept source code analysis tools that will scan our code and report issues to us. We should also note down any entry point for XML files such as XML file imports, DOCX file uploads, SVG image uploads and SOAP endpoints. We should make sure to test all these XXE entry points and not only limit ourselves to the regular XXE issues we know but look for blind XXE issues as they are harder to test for and require a different strategy. We need to investigate all the possibilities so this includes anything that might contain the vulnerability, SAML, DTD, SOAP, … and also test these endpoints thoroughly while making sure to test for every node of the XML.

XXE attack scenarios

How to prevent XXE vulnerabilities

Prevention of XXE attacks will rely heavily on indexing and protecting all possible XML entry points and making sure they do not have external entities enabled where not needed. We need to be aware that XML is something more complex than it seems at first glance and it reaches far and wide. If possible we should opt to use a different data format such as JSON to prevent the possibility of XXEs completely.


XXE is an often overlooked issue type due to the way developers learn about XML and how they often neglect to learn about it’s more intricate features such as external entities or Xincludes. Since these issues are easy to miss and they have such a large impact in general, it is important to pay close attention to any XML input point and to test it thoroughly.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.