Input Validation / XML External Entity Injection
Description
XML external entity injection (XXE) is a type of computer security vulnerability typically found in web applications that parse XML input. This can allow an attacker to gain access to sensitive data, perform denial of service attacks, port scanning, and even server-side request forgery (SSRF). The vulnerability is categorized by the Common Weakness Enumeration (CWE) as CWE-611 and is included in the CWE Top 25 (2022) list. It is also described in the OWASP Testing Guide.
Risk
XXE injection can be used to access local files, execute remote requests and potentially gain access to sensitive information. By using malicious XML payloads, an attacker can leverage this vulnerability to conduct a variety of attacks such as denial-of-service (DoS) attacks, data exfiltration, and server-side request forgery (SSRF).
Solution
The best way to address the risk of XXE injection is to properly validate input and reject malicious XML documents. Additionally, it is important to disable XML processing features that are not needed, and to use whitelisting techniques to only accept well-formed XML documents.