Professional Documents
Culture Documents
Related Articles
XXE or XML External Entity attack is a web application vulnerability that affects a
website which parses unsafe XML that is driven by the user. XXE attack when per formed
successfully can disclose local files in the file system of the website. XXE is targeted to
access these sensitive local files of the website that is vulnerable to unsafe parsing.
1. File Retrieval XXE: A s the name implies, arbitrar y files on the application ser ver of a
endpoint in the target system. This can be carried out by passing an external XML
2. Blind XXE: It is possible that a target system doesn’t return data from the entities
placed by the attacker still being insecure and vulnerable to XXE. This is done by
tr ying out malformed user inputs. These include the input of length more than what
the system expects, the wrong data type, special entities, etc. The intention is to
make the system fail and check if throws out some sensitive information in the error
response.
3. XXE to S SRF: Even if the system doesn’t return the response with local file content to
the attacker, the system can be still exploited in presence of an XXE attack. The
entity can be pointed to a local IP of the target company which can be accessed only
by its websites/network. Placing an intranet IP in XXE payload will make the target
application call its local endpoint which the attacker won’t have access to other wise.
This type of attack is called SSRF or Ser ver Side Request Forger y.
XML Parsing
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 1/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks
XML is one of the commonly used data exchange formats. Data can be transferred
between User and Website in XML format. Consider a website that accepts User
information in form of XML. The XML that is submitted to the website looks like follows,
XML
The website accepts this XML, parses this obtains the Name, Age, and Occupation of
entity can be defined in an XML and can be reused multiple times across the website.
For example,
XML
also possible to lookup an External Entity that refers to some third-par ty website.
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 2/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks
There are multiple XML parsing libraries that parse XML Document and return a
Java
import java.io.File;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.NodeList;
import org.w3c.dom.Node;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
public class GFGXMLParser
{
public static void main(String[] args)
{
try
{
File file = new File("/Users/Siva-5136/Downloads/Untrusted.xml");
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbFactory.newDocumentBuilder();
Document doc = db.parse(file);
NodeList nodeList = doc.getElementsByTagName("userDetails");
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 3/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks
}
}
catch (Throwable e)
{
System.out.println("Exception Parsing XML ",e);
}
}
}
Consider the input XML is used controlled. The input is not validated and directly passed
to the XML parser. The user may tr y to upload the following XML file,
XML
When the XML parser parses the XML input it resolves the entity named ‘xxe’ by its
definition. From input, the XML entity is defined as System resource “file://etc/passwd”
which is a sensitive local file on the website’s application ser ver. The parsed XML
replaces the entity with the content of this sensitive local file and may send it back to
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 4/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks
The website should protect itself from XXE by disabling entities in user-generated XML
content before parsing them. Failing which, the website becomes vulnerable to XXE
attack and hence may disclose highly sensitive private information to the attacker.
There are multiple ways to disable this based on the application stack and librar y used
Almost all major XML parsers provide a way to disable XML external entities in the XML
parser itself. For the above XML parsing example, the safe version of code looks like
follows:
Java
import java.io.File;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.NodeList;
import org.w3c.dom.Node;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
public class GFGXMLParser
{
public static void main(String[] args)
{
try
{
File file = new File("/Users/Siva-5136/Downloads/Untrusted.xml");
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbFactory.newDocumentBuilder();
Document doc = db.parse(file);
NodeList nodeList = doc.getElementsByTagName("userDetails");
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", tru
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", f
dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-externa
}
}
}
catch (Throwable e)
{
System.out.println("Exception Parsing XML ",e);
}
}
}
Related Vulnerabilities
Another common vulnerability associated with XML parsing is called A Billion L aughs
Attack. It uses an entity to resolve itself cyclically thereby consuming more CPU usage
and causing a denial of ser vice attack. An Example XML payload that can cause an XXE
attack is as follows:
XML
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
The entity keeps getting resolved to itself cyclically thereby slowing down requests and
causing a DOS attack on the application. A billion laughs attack can be disabling
DOCT YPE as in the above code snippet completely or setting a maximum limit on the
evaluation of entities.
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 6/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks
1. XXE can cause information leakage, it can leak system files that have critical data.
2. Data obtained from XXE can be used to target websites for additional vulnerabilities.
3. A billion L aughs can cause ser vice outage or a Denial Of Ser vice attack.
Attention reader! Don’t stop learning now. Get hold of all the impor tant CS Theor y
concepts for SDE inter views with the CS Theor y Course at a student-friendly price and
Like 0
Previous Next
Ar ticle Contributed By :
sub154
@sub154
Report Issue
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 8/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks
Improve Article
Writing code in comment? Please use ide.geeksforgeeks.org, generate link and share the link here.
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
Company Learn
About Us Algorithms
Careers Data Structures
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 9/10
1/21/2021 XML External Entity (XXE) and Billion Laughs attack - GeeksforGeeks
Practice Contribute
Courses Write an Article
Company-wise Write Interview Experience
Topic-wise Internships
https://www.geeksforgeeks.org/xml-external-entity-xxe-and-billion-laughs-attack/ 10/10