XML External Entity (XXE)

XML External Entity (XXE) attacks exploit vulnerabilities in XML parsers that process external entity references. When an XML parser is configured to resolve external entities, an attacker can craft malicious XML input that reads local files, makes server-side requests, or causes denial of service through recursive entity expansion (the "Billion Laughs" attack).

XXE vulnerabilities appear wherever applications parse XML input: SOAP web services, XML-based file uploads (DOCX, SVG, XLSX), SAML authentication flows, and RSS feed processors. Even applications that appear to accept JSON may have XML parsing capabilities that can be triggered by changing the Content-Type header.

The primary mitigation is to disable external entity processing in the XML parser configuration. Most modern XML libraries default to safe configurations, but legacy applications and certain frameworks still leave external entities enabled by default.

How APVISO tests for this: APVISO's scanner agent sends crafted XML payloads to endpoints that accept XML input, including endpoints that may accept XML via Content-Type manipulation. It tests for file read, SSRF, and out-of-band XXE variants.