Photo by Mohammad Rahmani on Unsplash
Extensible Markup Language (XML) describes data, like the contents of a webpage or database file. XML formatting allows applications to understand information and share data consistently. In order to read this data, you need to have an XML processor. Also referred to as an XML parser, these automated tools read files, transform the content, update databases, and deliver that content so the program can access it.
However, when web applications use an XML format to transmit data between the browser and server, they often use APIs to process the data. Within the XML standard, storage units are called “entities.” External entity refers to a storage unit that can access local or remote content.
An XXE vulnerability can arise from failure to:
- Know the source before accepting or uploading XML data
- Disable document type definitions (DTDs)
- Use less complex data formats like JSON
- Patch XML processors or underlying operating system
- Detect XXE in source code
