1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

Related Articles

XML External Entity (XXE) and Billion Laughs attack

Last Updated : 14 Oct, 2020

XXE or XML External Entity attack is a web application vulnerability that affects a

website which parses unsafe XML that is driven by the user. XXE attack when per formed

successfully can disclose local files in the file system of the website.  XXE is targeted to

access these sensitive local files of the website that is vulnerable to unsafe parsing.

Types Of XXE Attacks

1. File Retrieval XXE: A s the name implies, arbitrar y files on the application ser ver of a

victim company can be exposed to the attacker, if there is an XXE vulnerable

endpoint in the target system.  This can be carried out by passing an external XML

entity in the user-controlled file.

2. Blind XXE: It is possible that a target system doesn’t return data from the entities

placed by the attacker still being insecure and vulnerable to XXE. This is done by

tr ying out malformed user inputs. These include the input of length more than what

the system expects, the wrong data type, special entities, etc. The intention is to

make the system fail and check if throws out some sensitive information in the error

response.

3. XXE to S SRF: Even if the system doesn’t return the response with local file content to

the attacker, the system can be still exploited in presence of an XXE attack. The

entity can be pointed to a local IP of the target company which can be accessed only

by its websites/network. Placing an intranet IP in XXE payload will make the target

application call its local endpoint which the attacker won’t have access to other wise.

This type of attack is called SSRF or Ser ver Side Request Forger y.

XML Parsing

https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 1/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

XML is one of the commonly used data exchange formats. Data can be transferred

between User and Website in XML format. Consider a website that accepts User

information in form of XML. The XML that is submitted to the website looks like follows,

XML

<?xml version="1.0" encoding="ISO-8859-1"?>

<profiles>
<profile>
<name> Siva </name>
<Age> 24 </Age>
<occupation> Lead </occupation>
</profile>
<profile>
<name> Subbu </name>
<Age> 25 </Age>
<occupation> Developer </occupation>
</profile>
</profiles>

The website accepts this XML, parses this obtains the Name, Age, and Occupation of

records in Input XML, and returns a response of processed names in return.

XML consists of a concept of entities to refer to a single object in an XML document. An

entity can be defined in an XML and can be reused multiple times across the website.

For example,

XML

<!ENTITY test SYSTEM "https://www.geeksforgeeks.org/DTD.dtd">

<custom>&test;;</custtom>

test is described as an Entity in an XML document and it can be reused anywhere. It is

also possible to lookup an External Entity that refers to some third-par ty website.

https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 2/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

Code To Parse XML Documents

There are multiple XML parsing libraries that parse XML Document and return a

Quer yable Object. Typically, In Java, XML is parsed as follows,

Java

import java.io.File;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.NodeList;
import org.w3c.dom.Node;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
public class GFGXMLParser
{
public static void main(String[] args)
{
try
{
File file = new File("/Users/Siva-5136/Downloads/Untrusted.xml");
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbFactory.newDocumentBuilder();
Document doc = db.parse(file);
NodeList nodeList = doc.getElementsByTagName("userDetails");

//Set XML XXE Related Properties

for (int ind = 0; ind < nodeList.getLength(); ind++)

{
Node node = nodeList.item(ind);
if(Node.ELEMENT_NODE == node.getNodeType() )
{
Element nodeElement = (Element) node;
System.out.println(nodeElement.getElementsByTagName("uId").item(0).getTextC
System.out.println(nodeElement.getElementsByTagName("uFirstName").item(0).
}

https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 3/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

}
}
catch (Throwable e)
{
System.out.println("Exception Parsing XML ",e);
}
}
}

Carr ying Out XXE Attack

Consider the input XML is used controlled. The input is not validated and directly passed

to the XML parser. The user may tr y to upload the following XML file,

XML

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE name
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<profiles>
<profile>
<name>`&xxe;`</name>
<address>`test`</address>
<profile>
</profiles>

When the XML parser parses the XML input it resolves the entity named ‘xxe’ by its

definition. From input, the XML entity is defined as System resource “file://etc/passwd”

which is a sensitive local file on the website’s application ser ver. The parsed XML

replaces the entity with the content of this sensitive local file and may send it back to

the user. This is called an XML entity attack.  

Protection Against XXE Attacks 

https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 4/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

The website should protect itself from XXE by disabling entities in user-generated XML

content before parsing them. Failing which, the website becomes vulnerable to XXE

attack and hence may disclose highly sensitive private information to the attacker.

There are multiple ways to disable this based on the application stack and librar y used

to parse the XML source file.

Almost all major XML parsers provide a way to disable XML external entities in the XML

parser itself.  For the above XML parsing example, the safe version of code looks like

follows:

Java

import java.io.File;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.NodeList;
import org.w3c.dom.Node;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
public class GFGXMLParser
{
public static void main(String[] args)
{
try
{
File file = new File("/Users/Siva-5136/Downloads/Untrusted.xml");
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbFactory.newDocumentBuilder();
Document doc = db.parse(file);
NodeList nodeList = doc.getElementsByTagName("userDetails");

//Set XML XXE Related Properties

dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", tru
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", f
dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-externa

for (int ind = 0; ind < nodeList.getLength(); ind++)

{
Node node = nodeList.item(ind);
if(Node.ELEMENT_NODE == node.getNodeType() )
{
Element nodeElement = (Element) node;
System.out.println(nodeElement.getElementsByTagName("uId").item(0).getTextC
System.out.println(nodeElement.getElementsByTagName("uFirstName").item(0).
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 5/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

}
}
}
catch (Throwable e)
{
System.out.println("Exception Parsing XML ",e);
}
}
}

Related Vulnerabilities 

Another common vulnerability associated with XML parsing is called A Billion L aughs

Attack. It uses an entity to resolve itself cyclically thereby consuming more CPU usage

and causing a denial of ser vice attack. An Example XML payload that can cause an XXE

attack is as follows:

XML

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

The entity keeps getting resolved to itself cyclically thereby slowing down requests and

causing a DOS attack on the application. A billion laughs attack can be disabling

DOCT YPE as in the above code snippet completely or setting a maximum limit on the

evaluation of entities.

https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 6/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

Impact Of XXE And A Billion Laughs Attacks

1. XXE can cause information leakage, it can leak system files that have critical data.

2. Data obtained from XXE can be used to target websites for additional vulnerabilities.

3. A billion L aughs can cause ser vice outage or a Denial Of Ser vice attack.

Attention reader! Don’t stop learning now. Get hold of all the impor tant CS Theor y

concepts for SDE inter views with the CS Theor y Course at a student-friendly price and

become industr y ready.

RECOMMENDED ARTICLES Page : 1 2 3

Difference between Active Attack Buffer Overflow Attack with

01 05
and Passive Attack Example
21, May 19 29, Mar 17

Path Traversal Attack and

02
Prevention Understanding ReDoS Attack
25, Apr 17
06 17, May 17

Difference between Threat and

https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 7/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

Attack Sybil Attack

03 05, Mar 20
07 10, Jan 19

Mitigation of SQL Injection Attack

04
using Prepared Statements Man In The Middle Attack | Avoid
08
(Parameterized Queries) Falling Victim to MITM
18, May 17 21, May 19

 Like 0

 Previous Next 

Ar ticle Contributed By :

sub154
@sub154

Vote for di culty

Easy Normal Medium Hard Expert

Article Tags : Cyber-security , Information-Security , Advanced Computer Subject

Report Issue
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 8/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

Improve Article

Writing code in comment? Please use ide.geeksforgeeks.org, generate link and share the link here.

0 Comments GeeksforGeeks 🔒 Disqus' Privacy Policy 

1 Login

 Recommend t Tweet f Share Sort by Newest

Start the discussion…

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Be the first to comment.

✉ Subscribe d Add Disqus to your siteAdd DisqusAdd ⚠ Do Not Sell My Data

5th Floor, A-118,

Sector-136, Noida, Uttar Pradesh - 201305
feedback@geeksforgeeks.org

Company Learn
About Us Algorithms
Careers Data Structures
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 9/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks

Privacy Policy Languages

Contact Us CS Subjects
Video Tutorials

Practice Contribute
Courses Write an Article
Company-wise Write Interview Experience
Topic-wise Internships

How to begin? Videos

@geeksforgeeks , Some rights reserved

https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 10/10