Christophe Limpalair
Co-Founder of Cybr, and Course Author
XXE Injections - Overview
Disable DTDs, External Entities, and External DTDs
Disable DTDs completely
If you can't, then you should at least disable external entities and external DTDs
Disable DTDs, External Entities, and External DTDs
Disabling depends on the parser and language being used...
For PHP, you could do it with:
libxml_disable_entity_loader(true);
Disable DTDs, External Entities, and External DTDs
For more languages and info:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Verify XML file uploads
How to handle file uploads:
https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
Use alternatives to XML
ie: JSON or YAML
Find XXE vulnerabilities in your apps
Automated tools:
- OWASP ZAP
- Burp Suite
Manual review:
- Look for XML uploads or inclusions
- Test those areas
Defenses against XXE Injections
By Christophe Limpalair
