Skip to main content
XML (eXtensible Markup Language) is widely used for data exchange and configuration. However, insecure processing of XML can lead to various vulnerabilities, including XML External Entity (XXE) attacks, XML Entity Expansion, XPath injection, and more.These vulnerabilities can result in information disclosure, denial of service, server-side request forgery, or even remote code execution in some cases. They typically occur when XML parsers are configured to process external entities or when user input is not properly validated before being used in XML operations.Preventing XML vulnerabilities requires secure configuration of XML parsers, proper input validation, and following best practices for XML processing.
// Anti-pattern: Vulnerable to XXE injection
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.StringReader;
import org.xml.sax.InputSource;

public Document parseXml(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    
    // Parse XML without disabling external entities
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Better approach: Preventing XXE injection
public Document parseXmlSecurely(String xml) throws Exception {
    // Create a secure DocumentBuilderFactory
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    
    // Disable external entities and DTDs
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    factory.setXIncludeAware(false);
    factory.setExpandEntityReferences(false);
    
    DocumentBuilder builder = factory.newDocumentBuilder();
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Anti-pattern: Vulnerable to XXE injection in PHP
function parseXml($xmlString) {
    $dom = new DOMDocument();
    $dom->loadXML($xmlString); // Vulnerable to XXE
    return $dom;
}

// Better approach: Preventing XXE injection in PHP
function parseXmlSecurely($xmlString) {
    $dom = new DOMDocument();
    
    // Disable external entities
    $prevValue = libxml_disable_entity_loader(true);
    
    // Use LIBXML_NONET to prevent network access during XML processing
    $dom->loadXML($xmlString, LIBXML_NONET);
    
    // Restore previous value
    libxml_disable_entity_loader($prevValue);
    
    return $dom;
}

# Anti-pattern: Vulnerable to XXE injection in Python
from xml.dom.minidom import parseString

def parse_xml(xml_string):
    # Vulnerable to XXE
    return parseString(xml_string)

# Better approach: Preventing XXE injection in Python
import defusedxml.minidom

def parse_xml_securely(xml_string):
    # Use defusedxml library which is secure against XXE
    return defusedxml.minidom.parseString(xml_string)
XML External Entity (XXE) injection occurs when an application processes XML input containing references to external entities, potentially leading to information disclosure, denial of service, or server-side request forgery.To prevent XXE injection:
  • Disable external entities and DTDs in XML parsers
  • Use secure XML parsing libraries (like defusedxml in Python)
  • Configure XML parsers to disable entity expansion
  • Consider using alternative data formats like JSON when possible
  • Implement proper input validation
  • Keep XML parsing libraries updated
  • Consider using XML schema validation
  • Implement proper error handling for XML parsing
<!-- Anti-pattern: XML with entity expansion (Billion Laughs Attack) -->
<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

// Anti-pattern: Vulnerable to entity expansion attacks
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.StringReader;
import org.xml.sax.InputSource;

public Document parseXml(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    
    // Parse XML without limiting entity expansion
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Better approach: Preventing entity expansion attacks
public Document parseXmlSecurely(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    
    // Disable DTDs and external entities
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    
    // If DTDs must be allowed, limit entity expansion
    // factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
    // factory.setXIncludeAware(false);
    // factory.setExpandEntityReferences(false);
    
    // Set entity expansion limit
    System.setProperty("jdk.xml.entityExpansionLimit", "100");
    
    DocumentBuilder builder = factory.newDocumentBuilder();
    return builder.parse(new InputSource(new StringReader(xml)));
}
XML Entity Expansion attacks (also known as the Billion Laughs Attack) exploit recursive entity definitions to cause denial of service by consuming excessive memory and CPU resources.To prevent XML Entity Expansion attacks:
  • Disable DTDs and external entities when possible
  • Set entity expansion limits
  • Disable entity expansion altogether if not needed
  • Use XML parsers that are not vulnerable to entity expansion
  • Consider using alternative data formats like JSON
  • Implement proper input validation
  • Consider implementing timeout mechanisms for XML parsing
  • Monitor system resources during XML processing
// Anti-pattern: Vulnerable to XPath injection
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Document;

public String getUserEmail(Document doc, String username, String password) {
    XPath xpath = XPathFactory.newInstance().newXPath();
    
    // Vulnerable to XPath injection
    String expression = "/users/user[username='" + username + "' and password='" + password + "']/email";
    
    return xpath.evaluate(expression, doc);
}

// Better approach: Preventing XPath injection
public String getUserEmailSecurely(Document doc, String username, String password) {
    XPath xpath = XPathFactory.newInstance().newXPath();
    
    // Use XPath variables instead of string concatenation
    String expression = "/users/user[username=$username and password=$password]/email";
    
    // Create a variable resolver
    SimpleVariableResolver resolver = new SimpleVariableResolver();
    resolver.addVariable("username", username);
    resolver.addVariable("password", password);
    
    xpath.setXPathVariableResolver(resolver);
    
    return xpath.evaluate(expression, doc);
}

// Simple variable resolver implementation
class SimpleVariableResolver implements XPathVariableResolver {
    private Map<QName, Object> variables = new HashMap<>();
    
    public void addVariable(String name, Object value) {
        variables.put(new QName(name), value);
    }
    
    @Override
    public Object resolveVariable(QName variableName) {
        return variables.get(variableName);
    }
}

// Anti-pattern: Vulnerable to XPath injection in PHP
function getUserEmail($xml, $username, $password) {
    $doc = new DOMDocument();
    $doc->loadXML($xml);
    
    $xpath = new DOMXPath($doc);
    
    // Vulnerable to XPath injection
    $query = "/users/user[username='$username' and password='$password']/email";
    
    $result = $xpath->query($query);
    return $result->length > 0 ? $result->item(0)->nodeValue : null;
}

// Better approach: Preventing XPath injection in PHP
function getUserEmailSecurely($xml, $username, $password) {
    $doc = new DOMDocument();
    $doc->loadXML($xml);
    
    $xpath = new DOMXPath($doc);
    
    // Use XPath variables instead of string concatenation
    $query = "/users/user[username=:username and password=:password]/email";
    
    // Register PHP variables as XPath variables
    $xpath->registerNamespace('php', 'http://php.net/xpath');
    $xpath->registerPhpFunctions();
    
    // Replace placeholders with function calls that return sanitized values
    $query = str_replace(':username', "php:functionString('addslashes', '$username')", $query);
    $query = str_replace(':password', "php:functionString('addslashes', '$password')", $query);
    
    $result = $xpath->query($query);
    return $result->length > 0 ? $result->item(0)->nodeValue : null;
}
XPath injection occurs when user input is used to construct XPath queries without proper validation or escaping, potentially allowing attackers to manipulate the query logic.To prevent XPath injection:
  • Use parameterized XPath queries with variable resolvers
  • Implement proper input validation
  • Consider using XPath query builders
  • Avoid constructing XPath expressions through string concatenation
  • Use the principle of least privilege for XML access
  • Consider using XML schema validation
  • Implement proper error handling that doesn’t reveal query details
  • Consider using alternative data access methods when possible
<!-- Anti-pattern: XML with external entity that can cause SSRF -->
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://internal-server/sensitive-data" >
]>
<foo>&xxe;</foo>

// Anti-pattern: Processing XML that could lead to SSRF
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.StringReader;
import org.xml.sax.InputSource;

public Document processXmlDocument(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    
    // Vulnerable to SSRF via XXE
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Better approach: Preventing SSRF via XML
public Document processXmlDocumentSecurely(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    
    // Disable external entities and DTDs
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    factory.setXIncludeAware(false);
    factory.setExpandEntityReferences(false);
    
    DocumentBuilder builder = factory.newDocumentBuilder();
    return builder.parse(new InputSource(new StringReader(xml)));
}
Server-Side Request Forgery (SSRF) via XML occurs when XML processors resolve external entities, allowing attackers to make the server perform requests to internal or external resources.To prevent SSRF via XML:
  • Disable external entity resolution in XML parsers
  • Disable DTD processing if possible
  • Implement network access controls
  • Use XML parsers that don’t resolve external entities by default
  • Consider using a whitelist of allowed resources
  • Implement proper input validation
  • Consider using alternative data formats like JSON
  • Implement proper error handling that doesn’t reveal sensitive information
<!-- Anti-pattern: Vulnerable XML with signature -->
<soap:Envelope>
  <soap:Header>
    <wsse:Security>
      <ds:Signature>
        <ds:SignedInfo>
          <ds:Reference URI="#body">
            <!-- Signature details -->
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body wsu:Id="body">
    <ns1:getAccount>
      <accountId>12345</accountId>
    </ns1:getAccount>
  </soap:Body>
</soap:Envelope>

// Anti-pattern: Vulnerable signature validation
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dom.*;
import org.w3c.dom.Document;

public boolean validateSignature(Document doc) throws Exception {
    NodeList signatureNodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
    if (signatureNodes.getLength() == 0) {
        return false;
    }
    
    DOMValidateContext valContext = new DOMValidateContext(keySelector, signatureNodes.item(0));
    
    // Vulnerable to signature wrapping attacks
    XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
    XMLSignature signature = factory.unmarshalXMLSignature(valContext);
    
    return signature.validate(valContext);
}

// Better approach: Secure signature validation
public boolean validateSignatureSecurely(Document doc) throws Exception {
    NodeList signatureNodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
    if (signatureNodes.getLength() == 0) {
        return false;
    }
    
    // Create validation context
    DOMValidateContext valContext = new DOMValidateContext(keySelector, signatureNodes.item(0));
    
    // Set secure validation properties
    valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
    
    // Unmarshal the signature
    XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
    XMLSignature signature = factory.unmarshalXMLSignature(valContext);
    
    // Validate the signature
    boolean coreValidity = signature.validate(valContext);
    
    if (coreValidity) {
        // Additional checks to prevent signature wrapping
        // 1. Verify that the signed element is the expected one
        SignedInfo signedInfo = signature.getSignedInfo();
        List<Reference> references = signedInfo.getReferences();
        
        for (Reference ref : references) {
            String uri = ref.getURI();
            if (uri.startsWith("#")) {
                String id = uri.substring(1);
                Element signedElement = getElementById(doc, id);
                
                // Verify it's the expected element (e.g., soap:Body)
                if (!signedElement.getLocalName().equals("Body")) {
                    return false;
                }
            }
        }
        
        return true;
    }
    
    return false;
}

// Helper method to get element by ID securely
private Element getElementById(Document doc, String id) {
    // Implement a secure getElementById method that handles potential duplicates
    // and verifies the element is in the expected position in the document
}
XML Signature Wrapping (XSW) attacks exploit vulnerabilities in the way XML signatures are validated, allowing attackers to modify signed XML documents while keeping the signature valid.To prevent XML Signature Wrapping attacks:
  • Implement secure signature validation that checks the position of signed elements
  • Use XML Canonicalization (C14N) properly
  • Verify that the signed element is the expected one
  • Implement schema validation before signature validation
  • Consider using additional context-based validation
  • Keep XML security libraries updated
  • Consider using alternative security mechanisms when possible
  • Implement proper error handling for signature validation
// Anti-pattern: Insecure XML deserialization
import java.beans.XMLDecoder;
import java.io.StringBufferInputStream;

public Object deserializeXml(String xml) {
    // Vulnerable to code execution via XML deserialization
    XMLDecoder decoder = new XMLDecoder(new StringBufferInputStream(xml));
    Object result = decoder.readObject();
    decoder.close();
    return result;
}

// Better approach: Secure alternative to XML deserialization
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Unmarshaller;
import java.io.StringReader;

public MyObject deserializeXmlSecurely(String xml) throws Exception {
    // Use JAXB with a specific class instead of XMLDecoder
    JAXBContext context = JAXBContext.newInstance(MyObject.class);
    Unmarshaller unmarshaller = context.createUnmarshaller();
    
    // Add validation against a schema
    SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
    Schema schema = sf.newSchema(new File("myobject.xsd"));
    unmarshaller.setSchema(schema);
    
    return (MyObject) unmarshaller.unmarshal(new StringReader(xml));
}

// Anti-pattern: Insecure XML deserialization in PHP
function deserializeXml($xml) {
    // Vulnerable to PHP object injection via SimpleXMLElement
    $data = simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
    return $data;
}

// Better approach: Secure XML processing in PHP
function deserializeXmlSecurely($xml) {
    // Disable external entities
    $prevValue = libxml_disable_entity_loader(true);
    
    // Use LIBXML_NONET to prevent network access
    $data = simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NONET);
    
    // Restore previous value
    libxml_disable_entity_loader($prevValue);
    
    return $data;
}
Insecure XML deserialization can lead to remote code execution, especially when using deserializers that support arbitrary code execution or object instantiation.To prevent insecure XML deserialization:
  • Avoid using XML deserializers that support arbitrary code execution (like Java’s XMLDecoder)
  • Use safer alternatives like JAXB with specific classes
  • Implement schema validation before deserialization
  • Disable external entities and DTDs
  • Consider using alternative data formats like JSON
  • Implement proper input validation
  • Keep deserialization libraries updated
  • Implement proper error handling for deserialization
// Anti-pattern: Vulnerable to XML injection
public String createXmlDocument(String username, String email) {
    // Directly inserting user input into XML
    return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
           "<user>\n" +
           "  <username>" + username + "</username>\n" +
           "  <email>" + email + "</email>\n" +
           "</user>";
}

// Better approach: Preventing XML injection
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import java.io.StringWriter;

public String createXmlDocumentSecurely(String username, String email) throws Exception {
    // Create a new document using the DOM API
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    Document doc = builder.newDocument();
    
    // Create elements and set text content (automatically escaped)
    Element rootElement = doc.createElement("user");
    doc.appendChild(rootElement);
    
    Element usernameElement = doc.createElement("username");
    usernameElement.setTextContent(username); // Properly escaped
    rootElement.appendChild(usernameElement);
    
    Element emailElement = doc.createElement("email");
    emailElement.setTextContent(email); // Properly escaped
    rootElement.appendChild(emailElement);
    
    // Convert DOM to string
    TransformerFactory transformerFactory = TransformerFactory.newInstance();
    Transformer transformer = transformerFactory.newTransformer();
    StringWriter writer = new StringWriter();
    transformer.transform(new DOMSource(doc), new StreamResult(writer));
    
    return writer.toString();
}

// Anti-pattern: Vulnerable to XML injection in PHP
function createXmlDocument($username, $email) {
    // Directly inserting user input into XML
    return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" .
           "<user>\n" .
           "  <username>" . $username . "</username>\n" .
           "  <email>" . $email . "</email>\n" .
           "</user>";
}

// Better approach: Preventing XML injection in PHP
function createXmlDocumentSecurely($username, $email) {
    // Create a new document using the DOM API
    $doc = new DOMDocument('1.0', 'UTF-8');
    
    // Create elements and set text content (automatically escaped)
    $rootElement = $doc->createElement('user');
    $doc->appendChild($rootElement);
    
    $usernameElement = $doc->createElement('username');
    $usernameElement->appendChild($doc->createTextNode($username)); // Properly escaped
    $rootElement->appendChild($usernameElement);
    
    $emailElement = $doc->createElement('email');
    $emailElement->appendChild($doc->createTextNode($email)); // Properly escaped
    $rootElement->appendChild($emailElement);
    
    return $doc->saveXML();
}
XML injection occurs when user input is directly inserted into XML documents without proper escaping, potentially allowing attackers to manipulate the XML structure.To prevent XML injection:
  • Use XML APIs to create and manipulate XML documents
  • Avoid string concatenation for XML generation
  • Implement proper input validation
  • Use XML escaping functions when necessary
  • Consider using XML schema validation
  • Implement proper error handling for XML operations
  • Consider using template systems with automatic escaping
  • Regularly test for XML injection vulnerabilities
XML Vulnerabilities Prevention Checklist:

1. XML Parser Configuration
   - Disable external entities and DTDs
   - Disable entity expansion or set expansion limits
   - Use secure XML parsing libraries
   - Disable network access during XML processing
   - Configure XML parsers securely by default

2. Input Validation and Sanitization
   - Validate XML against a schema before processing
   - Implement proper input validation for XML data
   - Use XML APIs instead of string concatenation
   - Consider using XML escaping functions
   - Implement proper error handling for XML operations

3. XML Processing Best Practices
   - Consider using alternative data formats like JSON
   - Use parameterized XPath queries
   - Implement proper access controls for XML resources
   - Keep XML processing libraries updated
   - Avoid using XML for sensitive operations when possible

4. XML Security Features
   - Implement proper XML signature validation
   - Use XML Canonicalization (C14N) properly
   - Consider using XML encryption for sensitive data
   - Implement proper key management for XML security
   - Regularly test XML security implementations

5. Secure Deserialization
   - Avoid using XML deserializers that support arbitrary code execution
   - Use safer alternatives with specific classes
   - Implement schema validation before deserialization
   - Consider using alternative serialization formats
   - Implement proper error handling for deserialization

6. Testing and Monitoring
   - Regularly test for XML vulnerabilities
   - Implement proper logging for XML operations
   - Monitor for suspicious XML activity
   - Consider using XML security scanning tools
   - Implement proper error handling that doesn't reveal sensitive information
Preventing XML vulnerabilities requires a comprehensive approach that addresses parser configuration, input validation, and secure XML processing practices.Key prevention strategies:
  • Disable dangerous XML features like external entities
  • Use secure XML parsing libraries and configurations
  • Implement proper input validation and sanitization
  • Follow XML security best practices
  • Keep all XML processing libraries updated
  • Consider using alternative data formats when appropriate
  • Regularly test for XML vulnerabilities
  • Implement proper error handling and monitoring
I