About XML External Entity Injection
XML External Entity (XXE) injection vulnerabilities occur when XML parsers process external entities without proper validation, leading to various security issues including file disclosure, SSRF, and DoS attacks.
Common XXE Attack Types
Basic XXE: Simple XML external entity injection
File Disclosure: Reading local files via XXE
SSRF: Server-Side Request Forgery via XXE
Advanced Techniques: Complex methods to bypass protections
DoS: Denial of Service via XXE
Common Vulnerable XML Parsers
PHP: SimpleXML, DOMDocument, XMLReader
Java: SAXParser, DocumentBuilder, XMLReader
Python: xml.etree.ElementTree, lxml
C#: XmlDocument, XDocument, XmlReader
Node.js: xml2js, fast-xml-parser
Real-World Impact
Local file disclosure and sensitive data exposure
Server-Side Request Forgery (SSRF) attacks
Denial of Service (DoS) attacks
Remote code execution in some cases
Port scanning and internal network reconnaissance
Compliance violations and security breaches