The Extensible Markup Language (XML) format is widely used to share structured data between programs, people and machines, both locally and in area networks. XML is a simple, text-based format that represents information such as documents, configurations, books, transactions, application data, and invoices, among much more. While the format offers advanced benefits for modern application delivery, XML is also vulnerable to severe forms of hacking attacks. XML External Entity (XXE) injection is one such attack that occurs when an adversary interferes with an application’s XML parsing mechanism. An attack is usually exploited over the XXE vulnerability that allows the threat actor to forge requests, access sensitive data, and perform port scanning, among other malicious actions.
This guide discusses how XXE vulnerabilities arise, the impacts of XXE attacks, and best practices to prevent them.