Improper Restriction of XML External Entity Reference, or XXE, refers to a situation in which an XML parser is incorrectly set, allowing an attacker to connect directly with local or external files.
When an application executes an XML document that contains entities pointing to external URIs, CWE-611 vulnerabilities can occur. These URIs resolve to assets outside the application's control, resulting in potentially dangerous execution of activities prescribed by the external assets.
An issue in parsing an XML file containing XML entities with URIs that potentially refer to documents beyond the intended place is the source of the flaw. If the program fails to check the path to documents before including them, the attacker can consist of any file from a local or remote system and have it displayed by the application.
XML uses a tree-like structure of tags and data to store and convey data. A document type definition (DTD) can be found in an XML document, and its declarations describe the document's structure, data values, rights, and so on. The DTD might be embedded in the document or referenced from another location. You can specify "XML entities" in DTDs, which refer to values in the document in the same way that variables are used in programming languages.
The XXE attack is based on the ability of the XML language to declare arbitrary entities using an external Data Type Definition (DTD) and the ability to read and execute files.
The impact can range from local / remote file inclusion to remote command execution and entire system compromise, depending on the application's implementation and architecture.
This vulnerability can also be exploited to execute internal network port scans on the affected machine or servers.
The attacker may be able to access arbitrary files on the system if a malicious DTD is included and a default entity resolver is enabled.
The DTD can include any HTTP request that the server can handle. Therefore, other attacks could be launched due to the server's trust connection with other entities.
This vulnerability is frequently introduced to the program during the architecture and design phase. Therefore, it is nearly impossible to mitigate this vulnerability without modifying the application source code in most circumstances.
External entity expansion can be disabled in many XML parsers and validators.
Allowing application functionality that parses XML documents should be avoided.
Implement server-side input validation, filtering, or sanitization that is positive allowlisting to prohibit malicious data from entering XML documents or headers.
Configure the XML parser so that no DTD declarations are validated or processed.