# XML External Entity (XXE) ## Overview XML External Entity (XXE) attacks occur when untrusted XML Input containing a reference to an external entity is processed by an XML parser that is improperly configured. This can lead to the disclosure of internal resources, denial of service, RCE, SSRF, and port scanning. > Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. > > -OWASP ## Example Consider this example from Appsecco's DVNA. The functionality of the page `http://127.0.0.1:9090/app/bulkproducts` allows for XML files to be uploaded and due to code misconfiguration allows XXE. ![](/files/-MQx6Yi_37_PMY0axWBO) The code that handles this XML upload functionality is found in *core/appHandler.js. The code* uses the libxmljs library to parse the XML String. Line 3 uses the libxmljs.parseXmlString function to parse the user input. This is where the error is occurring, where the library parses the XML input string and saves it to the *products* variable. ``` module.exports.bulkProducts = function(req, res) { if (req.files.products && req.files.products.mimetype=='text/xml'){ var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true,noblanks:true}) products.root().childNodes().forEach( product => { var newProduct = new db.Product() newProduct.name = product.childNodes()[0].text() newProduct.code = product.childNodes()[1].text() newProduct.tags = product.childNodes()[2].text() newProduct.description = product.childNodes()[3].text() newProduct.save() }) res.redirect('/app/products') }else{ res.render('app/bulkproducts',{messages:{danger:'Invalid file'},legacy:false}) } } ``` The XML parsing library libxmljs allows for parsing external entities. The flag value *noent* needs to be set to false `{noent:true,noblanks:true}.` The following code shows the fix for this vulnerability by changing that flag value to false. ``` module.exports.bulkProducts = function(req, res) { if (req.files.products && req.files.products.mimetype=='text/xml'){ var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:false,noblanks:true}) products.root().childNodes().forEach( product => { var newProduct = new db.Product() newProduct.name = product.childNodes()[0].text() newProduct.code = product.childNodes()[1].text() newProduct.tags = product.childNodes()[2].text() newProduct.description = product.childNodes()[3].text() newProduct.save() }) res.redirect('/app/products') }else{ res.render('app/bulkproducts',{messages:{danger:'Invalid file'},legacy:false}) } } ``` Start with the following resources then go to the resources page. {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} Appsecco DVNA source code example {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://evanluke.gitbook.io/appsec/xxe/xml-external-entity-xxe.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.