# XML External Entities (XXE)
If XML parser are configured incorrectly attackers can exploit them by defining external entities to either read data or to execute denial of service attacks.
A05:2021# Background
# Context
XXE attacks are possible if the used XML parser is not configured securely. In case the referencing of external entities is allowed security issues can arise. Entities are defined in the following format:
<!ENTITY error "An error occured">
Via &error; the entity can be used inside of the XML document.
# Problems
- Through recursive referencing on entities attackers can increase CPU usage and make the server unresponsive. The Billion Laughs Attack is an attack which uses this pattern to deny a server's service. It references
&LOLX;entities over and over as seen in the example below:
<!DOCTYPE root [
<!ELEMENT root ANY>
<!ENTITY LOL "lol">
<!ENTITY LOL1 "&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;">
<!ENTITY LOL2 "&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;
6 &LOL1;">
...
<!ENTITY LOL9 "&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;
&LOL8;">
]>
<root>&LOL9;</root>
- Additionally, the SYSTEM keyword can be used to load external files or read internal data such as passwords
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
# Solutions
- Restrict the parsers underlying resources
- Use parsers that contain security mechanisms that ignore external entities
# Technologies
Your favorite parser is missing? Add it yourself! (opens new window)
As described above, the parser should not be exploitable by external entities.
# Node.js
| Library | Solution |
|---|---|
| sax | Setting its mode to strict is required. Code example (opens new window) |