Why is Java particularly vulnerable to XXE?

Java's standard XML parsers (DocumentBuilderFactory, SAXParserFactory, XMLInputFactory) enable external entity processing by default in many configurations. Developers must explicitly disable these features, which is often missed.

Is JSON immune to XXE?

Yes. XXE is specific to XML parsers that process DTDs and entity definitions. JSON has no equivalent mechanism. Switching from XML to JSON for data interchange eliminates XXE risk entirely.

What is the Billion Laughs attack?

The Billion Laughs attack (XML bomb) uses nested entity expansion to create exponentially growing XML content. A few kilobytes of XML can expand to gigabytes in memory, crashing the parser and causing denial of service.

XXE (XML External Entity) Attacks: Detection and Prevention

What Is XXE

XML External Entity (XXE) injection is a vulnerability where XML parsers process external entity references in user-supplied XML input. An attacker crafts XML containing entity declarations that reference local files, internal URLs, or recursive definitions, causing the parser to leak data, perform SSRF, or trigger denial of service.

Mapped to CWE-611 and falling under OWASP A05:2021 – Security Misconfiguration, XXE exploits the fact that many XML parser libraries enable external entity processing by default. Java's DocumentBuilderFactory, SAXParserFactory, and XMLInputFactory are particularly susceptible.

How XXE Attacks Work

An attacker submits XML containing a Document Type Definition (DTD) with an external entity:

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>

If the parser processes the DTD, it resolves the SYSTEM entity by reading /etc/passwd and includes its contents in the parsed document. The application then returns the file contents in its response.

Attack Variants

File disclosure: Read server files via file:// protocol (/etc/passwd, application configs, credentials)
SSRF via XXE: Fetch internal URLs via http:// protocol (cloud metadata, internal APIs)
Billion Laughs DoS: Recursive entity expansion that consumes memory exponentially, crashing the parser
Blind XXE: Out-of-band data exfiltration through DNS or HTTP requests to attacker-controlled servers

Real-World XXE Impact

Facebook (2014): Researchers discovered XXE in Facebook's career portal that could read internal server files, earning a $33,500 bug bounty.
Uber (2016): XXE vulnerability in a SAML-based SSO endpoint allowed reading server files and potentially accessing internal services.
SAP (2018): Multiple XXE vulnerabilities in SAP enterprise products allowed attackers to read sensitive configuration files on enterprise servers.

XXE is especially prevalent in enterprise Java applications that process XML for SOAP services, SAML authentication, SVG uploads, or RSS feeds.

How CodeSlick Detects XXE

CodeSlick identifies unsafe XML parser configurations in Java and Python codebases:

XML parser factories missing disallow-doctype-decl and external-general-entities features in Java
Missing ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA restrictions
Python XML parsing without defusedxml or equivalent protections

All findings include CWE-611 classification and AI-powered fixes that generate the correct parser hardening configuration for your specific XML library.

Detect unsafe XML parser configurations in your Java and Python code.

Try Free Scanner Install GitHub App

XXE (XML External Entity) Attacks: Detection and Prevention

What Is XXE

How XXE Attacks Work

Attack Variants

Real-World XXE Impact

How CodeSlick Detects XXE

Frequently Asked Questions

Related Guides

What Is SQL Injection? Detection Examples and Prevention

What Is XSS (Cross-Site Scripting)? Types Examples and How to Fix It

CSRF (Cross-Site Request Forgery): What It Is and How to Prevent It

How to Prevent SQL Injection: Complete Developer Guide