Understanding XXE (XML External Entity) Attacks

The advantages and risks of utilizing data in XML format are both attributable to its extensibility (it’s in the name, after all) relative to more simplistic plain-text data formats like JSON or CSV. Perhaps the strongest example of this extensibility is the XML entity declaration feature, which is defined using Document Type Definition syntax and effectively instructs data parsers to access information made available inside (internal reference) or outside (external reference) of the original XML document by the document creator. This powerful reusability feature affords numerous benefits, but it also represents a unique threat for any application parsing XML data.

While XML internal entities access content stored locally within a document, XML external entities are designed to retrieve content that lives outside of an XML document, often using HTTP requests to access that information. When an XML parser reads an external entity reference, it will retrieve the information associated with that reference and subsequently incorporate that information into the original XML document.

This external reference feature is a well-documented cyberattack vector. Threat actors can leverage external entity vulnerabilities to carry out XML External Entity (XXE) attacks, exploiting poorly sanitized XML data parsers with built-in document references to external malicious content. That content can take myriad forms, and the outcomes of a successful attack can be disastrous, resulting in the theft of valuable data from our servers or even Denial of Service to our users.

Preventing XXE Attacks with Cloudmersive APIs

Thankfully, you can take advantage of three separate Cloudmersive APIs to protect your applications from XXE threats, with each option varying in the scope of its threat detection capabilities. These options include the following:

1. Protect Text Input from XML External Entity Attacks: This iteration of the Cloudmersive Security API is designed exclusively to detect XML External Entity attacks from a string of XML text. When XXE threats are identified, the API will return a Boolean labeled “ContainedXxe” to notify you if external references were present.

2. Automatically Detect Threats in an Input String: This dynamic iteration of the Cloudmersive Security API is designed to detect a variety of common content threat types in a single request from text string input. These threat types include XML External Entities, Cross-Site Scripting, SQL Injection, Server-Side Request Forgery, and JSON Insecure Deserialization. When XXE threats are detected, the API response will return a “True” value in the “ContainedXxeThreat” Boolean.

3. Advanced Virus Scan API: This dynamic iteration of the Cloudmersive Virus Scan API is designed to scan files for viruses, malware, AND hidden content threats, including XML external entities. The API response will determine if XML was present within any document by default; additionally, setting the “allowXmlExternalEntities” request parameter to “False” will return a “CleanResult: False” response for documents containing XML external entity references.

For more information on Cloudmersive Security and Virus Scan APIs, please feel free to reach out to a member of our sales team.