OWASP Periodic Table of Vulnerabilities - XML External Entities

Return to Periodic Table Working View

Root Cause Summary
The XML parser is configured to process an unsafe DTD which includes external references to resources on the filesystem or other internal resources.

Browser / Standards Solution
None

Perimeter Solution
None

Generic Framework Solution
Disable external entity processing in the XML parser. Use strict, static, internally-defined DTDs and discard DTDs defined by XML documents. Force the application to load external content safely using framework file access code, instead of delegating the work to the XML parser.

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
XXE is an unsafe development pattern and should be discarded in favor of safer methods of building documents from multiple sources.