• XML( Extensible Markup Language ) : used to transport and store data in a format that’s both human readable and machine-parseable

• XSLT ( Extensible Stylesheet Language Transformations ) : is a language used to transform and format XML documents. it is significantly relevant to XXE attacks

• DTD (Document Type Definitions ) : define the structure and constraints of an XML documents <Internal DTDs are using <!DOCTYPE >

• XXE Injection : vulnerability that occurs when an application accepts XML input that includes external entity references within the XML itself

  

• Types of XXE Injections :

Impact of XXE :

• disclose local files
• make server-side requests
• execute remote code ( RCE )

Mitigation:

• Disable External Entities and DTD : , disable the processing of external entities and DTDs in your XML parsers. Most XXE vulnerabilities arise from malicious DTDs.
• Use less complex Data format : do not allow the specification of external entities
• allowlisting Input validation : exclude or escape XML-specific characters such as “>,<,&”
• In java use : DocumentBuilderFactory and disable DTDs

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("<http://apache.org/xml/features/disallow-doctype-decl>", true);
dbf.setFeature("<http://xml.org/sax/features/external-general-entities>", false);
dbf.setFeature("<http://xml.org/sax/features/external-parameter-entities>", false);
dbf.setFeature("<http://apache.org/xml/features/nonvalidating/load-external-dtd>", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder();

• PHP : libxml_disable_entity_loader(true)