Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

How to Prevent XML External Entities?

Posted DateJuly 14, 2020
Posted Time 4   min Read

Custom-defined XML entities that are loaded externally and parsed by weak XML parsers, XXE vulnerabilities as they are better known, are extremely dangerous. In 2017, millions of applications, computers, and servers used to develop, test, and analyze Android applications were put at risk owing to the flaws that allowed XML entities with external references to be parsed/ read by the XML parser of an APKTool.

In the article, a detailed understanding of XML entities, XXE vulnerabilities, and their prevention will be provided.

What are XML and XML Entities?

XML or Extensible Markup Language is designed and used to represent, store and share structured information (such as documentation, data, invoices, transactions, etc.) in simple text-based format (tags) that are both human- and machine-readable.

What are XML Entities

The declarations defining the structure of the XML document, data values contained in it, etc. are contained in the Document Type Declaration/ DOCTYPE declaration/ DTD. This can be contained within the document itself, have external references, or be a mix of both.

In XML format documents, data is represented using XML entities, which are built into the language as specifications. These entities can be custom-defined, located outside the DTD, and loaded from external sources such as local files, URI, etc. Such XML inputs with external references are known as XML external entities.

What is an XXE Vulnerability?What is XXE Vulnerability

XXE Vulnerabilities are known to occur when XML External Entities are supported by an application and parsed by weak XML parsers/ processors, providing attackers with immense flexibility and a fertile ground to orchestrate XXE attacks.

Why are XML External Entities Dangerous?

Why are XML External Entities Dangerous

Several Kinds of Malicious Activities Are Enabled by XXE Injection Attacks

  • Unauthorized access to confidential data, server filesystems, backend/ external systems, etc.
  • Data corruption.
  • DoS attacks that exhaust network/ server resources and cause website crashes/ downtimes.
  • Remote code execution
  • Cross-site forgery that compromises the underlying server/ other backend infrastructure.
  • Network attacks

Flexibility and Extensibility are Double-Edged Swords

The sender and receiver can agree upon newly-defined XML entities (custom entities, markup symbols, entities with varying values, etc.) and message formats during runtime owing to the extraordinary flexibility and extensibility. However, these very advantages are leveraged by attackers to load XML External Entities that are custom-crafted to fulfill their malicious motives.

Weakly Configured XML Parsers

Typically, XML parsers (especially traditional ones) are not designed to verify/ check content, thereby, allowing all kinds of values/ markup symbols in the parsed/ resolved entity including external DTD. Several attack vectors are made possible owing to such a misconfiguration.

How to Prevent XML External Entities?

How to Prevent XML Entities

Leveraging Automation for Identification of XXE

A majority of XXE vulnerabilities are identified reliably, swiftly, and accurately by an intelligent, automated, and hassle-free web application scanner backed with Global Threat Intelligence, such as the one offered by AppTrana.

Application Security Testing Performed by Security Experts

Some kinds of XML External Entities are not identified by automated web scanning tools such as blind XXE, file retrievals, and XInclude attacks. In such cases, application security testing must be performed manually by certified security experts.

Managed WAF with Custom-Defined Rules

Traditional WAFs are bypassed rather easily by attackers exploiting the XXE vulnerabilities in the application. A managed, intuitive, and comprehensive Web Application Firewall, such as the one from AppTrana, that supports customization of policies is essential in preventing XXE attacks.

Signature and behavioral analysis along with other security methodologies are used by AppTrana to effectively detect and block XXE attack vectors. Equipped with Global Threat Intelligence, emerging threats are automatically blocked by AppTrana. A combination of whitelisting and blacklisting rules is used to ensure malicious payloads are not executed by the server/ application.

Disabling DTD Support

External DTD is designed to be utilized by trusted parties. However, it is a legacy feature and often, leveraged by malicious actors to attack web applications. Disabling DTD is an effective way to prevent XXE attacks. When it is not possible, at least the external entities’ feature must be disabled.

Other measures to prevent XML External Entities
  • Apart from disabling features that weaken them, the XML processors and libraries used in the application must be patched and updated always.
  • All file uploads, server-side user inputs, and URLs must be sanitized and validated before being parsed by the XML processor.
  • The principle of least privilege for server processes must be ensured.


XXE vulnerabilities have devastating impacts, despite their medium prevalence. As a result of the high risks attached, they have been placed on #4 in the OWASP Top 10 vulnerabilities list. XML entities with external references/ XXE Vulnerabilities must be effectively prevented for a stronger security posture and continuous availability of the application.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

API Security
OWASP Top 10 Vulnerabilities in 2021: How to Mitigate Them?

Read on to find out the OWASP Top 10 vulnerabilities 2021 explained in detail, along with ways to mitigate each.

Spread the love

Read More
Serialization Attacks and How to Prevent Them
What are Serialization Attacks and How to Prevent Them?

Serialization and deserialization are powerful tools but need to be securely executed to ensure they aren’t counterproductive. Explore here.

Spread the love

Read More
10 Tips to Protect Against OWASP Top 10
Top 10 Tips to Protect Against OWASP Top 10 Vulnerabilities

Foster a culture of secure development and usage of web applications by protecting your business against OWASP Top 10 vulnerabilities.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!