What is XXE Injection?

Definition

XML External Entity (XXE) injection is a vulnerability that occurs when an XML parser processes XML input containing a reference to an external entity. XML allows documents to define entities — named substitutions — including external entities that load content from a URL or file path. When an attacker can submit XML to a parser that has external entity processing enabled, they can read arbitrary files from the server, perform server-side request forgery (SSRF), or in some configurations cause denial of service.

XXE appears in the OWASP Top 10 2017 as a standalone entry, and in the 2021 edition under "Software and Data Integrity Failures." It is an older vulnerability class but remains prevalent because XML is still widely used in enterprise integrations, SOAP services, document processing, and configuration files.

How XXE Works

A malicious XML payload that reads /etc/passwd:

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>

If the parser processes external entities, it replaces &xxe; with the contents of /etc/passwd. The application then returns or processes data containing the file contents.

Types of XXE

Classic XXE (in-band)

The parser's output is returned in the HTTP response. The file contents or URL response appears directly in the application's output.

Blind XXE

The parser processes the entity but the response is not returned to the attacker. Data is exfiltrated through out-of-band channels: DNS lookups, HTTP callbacks to an attacker-controlled server, or error-based inference.

XXE for SSRF

Instead of a file:// URI, the attacker uses http:// pointing to internal network resources. The XML parser fetches the URL server-side, making XXE a vector for SSRF with the same internal network access implications.

Billion laughs (DoS)

A specially crafted document with nested entity references that expand exponentially. Parsing this document consumes all available memory and CPU. A classic XML parser DoS attack.

Prevention

Disable external entity processing

The universal fix: configure the XML parser to disable external entity processing and DTD processing entirely. Every major XML parsing library has a secure configuration:

• Java DocumentBuilderFactory: setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
• Python lxml: use defusedxml library or resolve_entities=False
• .NET XmlReaderSettings: DtdProcessing = DtdProcessing.Prohibit
• PHP SimpleXML/DOMDocument: LIBXML_NONET | LIBXML_DTDLOAD disabled

Use defusedxml (Python)

The defusedxml library wraps standard Python XML parsers with safe defaults, blocking XXE, billion laughs, and other XML attacks without requiring manual configuration.

Prefer JSON over XML

If XML is not required by the protocol (legacy SOAP, custom integrations), use JSON. JSON parsers do not support entity expansion and have no equivalent vulnerability class.

XXE and Autonomous Code Governance

Hydra detects XXE by identifying XML parser instantiation patterns and verifying that secure configuration options are set. For Java, Python, .NET, and PHP XML parsing code, Hydra checks whether external entity processing is disabled and generates fixes that apply the correct secure parser configuration for the library in use. The fix is specific to the parser library found in the codebase — not a generic patch.