XML external entity (XXE) is a type of cyberattack where attackers interfere with XML data processing within the web application. The attack happens when a wrongly configured XML parser processes a malicious XML input that contains a reference to an external entity.

Types of XML External Entity Attacks

Examples of Real-life XML External Entity Attack

Research by Check Point in 2017 uncovered vulnerabilities in reverse-engineering tools and Android development. Issues found could have exposed sensitive data and enabled attackers to take over devices using APKTool.

Preventing XXE Attacks

How Do XXE Vulnerabilities Occur?

Some applications transmit data between servers and browsers in XML format. Apps that do this virtually employ platform API or standard library for server-side XML data processing. XXE vulnerabilities occur because the XML specification has various harmful features that standard parsers support even if the application doesn’t normally use them.

What is the Impact of XXE Attacks?