Understanding XML External Entity (XXE) Injection

To understand XML external entity injection, also known as XXE, we first need to understand exactly what XML data is.

What is XML data?

XML is a software and hardware-independent tool for storing and transporting data via the internet or a corporate network. It doesn’t do anything; it is just a way of storing information in tags so that it can be shared in a structured and consistent manner. Like spoken language, you need to speak the same language to understand one another.

Learn more here: https://www.w3schools.com/xml/xml_whatis.asp

XML stands for extensible Markup Language, and it is a markup language similar to HTML. However, HTML was created to display data, concentrating on how that data is displayed. XML was designed to store and transport data and is self-descriptive. The tags can have any name, such as to, from, heading, or body, and describe what the data is.

What is XML external entity injection?

Now that’s been cleared up, we can begin explaining how attackers can target XML software vulnerabilities to harm web applications.

According to owasp: Many older or poorly configured XML processors evaluate external entity references within XML documents. XML external entities (XXE) can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

In layman’s terms: it is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data.¬†

Types of XXE attacks 

XXE attacks range in type and motive. They can be aimed at retrieving files if your applications are using components with known vulnerabilities or if there is insufficient logging & monitoring, broken access control, or broken authentication. The file’s contents could result in sensitive data exposure of almost any data you store or send.

SSRF attacks use a server-side request forgery approach. SSRF attacks use a vulnerable but trusted app to interact with external systems and back-end systems. Other attacks include exploiting blind XXE to get sensitive data via parsing error messages or exfiltrating data out-of-band.

You can find and test XXE vulnerabilities by submitting your web application for a penetration test with Omnicyber. Our reports will help you to resolve a variety of vulnerabilities before an attacker has the chance to interfere. Contact us to learn more about our pen testing services.

Contact us

Related Articles


What does Salting the hash mean (is it effective?)

Passwords are the cornerstone of security, preventing unauthorised access to your network, applications, and customer accounts. The challenges of password security include storing them. If you store passwords in a database as plain text, anyone who gains access to the database can read them, just like the words in this explainer. Salting the hash is a technique that protects against this vulnerability.

Find Out More