XXE (XML External Entity)

An XML parser fetches remote URLs or reads local files via DOCTYPE / ENTITY declarations. Reading /etc/passwd through a SOAP endpoint is the classic example.

What it catches

<!DOCTYPE> declarations with external references
<!ENTITY> declarations: SYSTEM, PUBLIC
Parameter entities: %xxe;
External DTD references via URL
CDATA blocks containing entity references
Blind XXE via out-of-band exfiltration patterns

Sample payload

<!-- Before -->
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data>&xxe;</data>

// After (sanitize)
// DOCTYPE + ENTITY declarations stripped; data element preserved if safe.

// In block mode: 403, vector=xxe, rule=patterns.xxe.entity-system

Configuration

app.use(arcis({ block: true, sanitize: { xxe: { enabled: true } } }));

Disable

app.post('/soap', arcis({ sanitize: { xxe: false } }), handler);

References

Disable external entities at the parser. In Node, use libxmljs.parseXmlString(xml, { noent: false, noblanks: true }). In Python, use defusedxml. Disabling at parse time is your primary defense; Arcis catches strings that look like XXE before they reach your parser.

← PreviousSSTI Next →LDAP Injection