If your app parses XML, configuration files, SOAP responses, RSS feeds, SVG, or any XML a server or user supplies, there is a classic vulnerability to know about: XML external entity injection, or XXE. XML lets a document declare entities, including external ones that point at a file or URL, and an XML parser configured to resolve them will fetch what they point to. A malicious document can use that to make your app read local files, make network requests on its behalf, or exhaust resources. The fix is to turn off the features that enable it. Here is what XXE is, what it can do, and how to prevent it.
Short answer
XXE (XML external entity injection) is a vulnerability where an XML parser, configured to resolve external entities or process DTDs, is fed a malicious XML document that declares an external entity pointing at a local file or URL, causing the parser to disclose file contents, make server-side requests, or exhaust resources through entity expansion. Per OWASP, the prevention is to disable DTD processing and external entity resolution in your XML parser, which is the safe configuration for almost every app. It applies to any mobile app that parses XML it receives. The principle is that an XML parser should never fetch external resources a document points to, so configure it not to.
What you should know
- XML supports external entities: a document can declare entities pointing at files or URLs.
- A vulnerable parser resolves them: fetching what the entity points to.
- The impact is file disclosure, SSRF, or DoS: depending on what is resolved.
- The fix is configuration: disable DTD processing and external entities.
- It applies to XML you receive: from a server, a user, or a file.
What is XXE?
It is an injection vulnerability in XML parsing. XML documents can include a Document Type Definition (DTD) that declares entities, shorthand names that expand to some value, and an external entity declares that its value should come from an external source, a local file path or a URL. When an XML parser is configured to process DTDs and resolve external entities, and it parses a document containing such a declaration, it fetches the referenced resource and substitutes it in, so a malicious document can make the parser read a local file or contact a URL. The vulnerability is not in XML itself but in a parser configured to resolve these external references on untrusted input. Many XML parsers historically resolved entities by default, which is why XXE has been so common, and the defense is to configure the parser not to process DTDs or external entities at all.
What can an XXE attack do?
Several things, depending on what the entity resolves to. The table lists the main impacts.
| Impact | What happens |
|---|---|
| Local file disclosure | An external entity references a file; its contents are read |
| Server-side request forgery | An entity references a URL the parser then contacts |
| Denial of service | Nested entity expansion exhausts memory or CPU |
| Internal network probing | Entities point at internal addresses to probe them |
The most cited impact is local file disclosure: a document declares an entity pointing at a file path, and when the parser expands it, the file's contents are pulled into the parsed result, which can leak sensitive data. If the parser fetches URLs, the attacker can make it issue requests, a form of server-side request forgery that can reach internal resources. And entity expansion attacks, where entities reference other entities in a way that multiplies exponentially, the classic billion-laughs pattern, can exhaust resources and cause denial of service. All of them stem from the parser resolving things a malicious document tells it to.
How do you prevent XXE in a mobile app?
Disable DTD processing and external entity resolution in your XML parser. The single most effective step is to configure your parser so it does not process DTDs at all, which disables external entities and entity expansion in one move, and is the recommended default for parsing untrusted XML. If you cannot disable DTDs entirely, at minimum disable external entity resolution and limit entity expansion. Use the parser's secure-processing settings where available, and prefer parsers or configurations that do not resolve external entities by default. Treat any XML your app parses, from a server, a user, or a downloaded file, as untrusted input, since the malicious document is the attack vector. And where you control the data format, consider whether you need XML at all, since a simpler format avoids the entire class. The principle is that your parser should never fetch external resources a document names, so configure it to refuse.
What to watch out for
The first trap is using an XML parser with its default configuration when that default resolves external entities, which many historically did; explicitly disable DTDs and external entities. The second is assuming XML from your own server is safe, when it could be tampered with or the server compromised; treat parsed XML as untrusted. The third is overlooking XML hidden in formats like SVG or document files your app parses. XXE is a code-level parser-configuration flaw, so a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the binary against OWASP MASVS, assesses input and data handling broadly, while the specific parser hardening is something you set in the code that parses XML.
What to take away
- XXE is when an XML parser configured to resolve external entities or process DTDs parses a malicious document, leading to file disclosure, server-side requests, or denial of service.
- The impacts come from the parser fetching files or URLs a document names, or expanding nested entities until resources are exhausted.
- Prevent it by disabling DTD processing and external entity resolution in your parser, treating all parsed XML as untrusted input, and considering whether you need XML at all.
- XXE is a parser-configuration flaw you fix in code; use a pre-submission scan such as PTKD.com to assess your app's input and data handling.
