Cheat Sheets Infrastructure Web Application Security

XXE Cheatsheet – XML External Entity Injection

All the fun of the post on XML External Entities (XXE) but less wordy!

A internal entity:

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
Web Application Security

XXE: XML External Entity Injection

Here’s a quick write-up on XXE, starting with how to detect the vulnerability and moving on to how to fix it! XXE is a vulnerability in the way that XML parses handle¬†user¬†input and if an attacker is able to enter arbitrary or crafted data into an XML parser they may be able to inject entities and this could leave to file disclosure, denial-of-service attacks or in rare cases – code execution!