OWASP XML External Entities (XXE)

XML external entity (XXE) injection

<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "<file:///etc/passwd>">
]>
<foo>&xxe;</foo>

Most xml parsers are vulnerable to XXE injection by default.
You need to configure them to be safe

(src: Book: release it! - Michael Nygard)

Backlinks

• Model: OWASP top 10
• OWASP Injection