Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term XML External Entity (XXE)

Training Camp • Cybersecurity Glossary

What is XML External Entity (XXE)?

A type of attack that exploits how some XML processors validate or parse XML input.

Glossary > Application & API Security > XML External Entity (XXE)

Understanding XML External Entity (XXE)

A type of attack that exploits how some XML processors validate or parse XML input. XXE is a vulnerability where XML processors evaluate external entity references within XML documents, allowing attackers to access unauthorized files, execute remote code, perform server-side request forgery, or launch denial of service attacks. The vulnerability stems from insecure default configurations in many XML parsers and inadequate input validation. XXE vulnerabilities are documented in the OWASP Top 10, CWE-611, and various application security standards. Organizations prevent XXE through secure XML parsing configuration, input validation, and proper handling of user-supplied XML. For example, a web application development team might protect against XXE attacks by disabling external entity processing and DTD parsing in all XML parsers, validating and sanitizing all XML input, implementing XML parsing libraries specifically designed with security in mind, creating an allowlist of permitted entities when external references are necessary, and routinely testing applications with XXE-specific security tools to verify protections are effective. Related terms: XML injection, XML parsing, OWASP Top 10, API security, External entity, DOCTYPE declaration, Document Type Definition (DTD), Server-side request forgery (SSRF), File disclosure, Entity expansion.

Learn More About XML External Entity (XXE):

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →