Generally speaking, XXE is indeed easy to defend against—simply disable external entities in your XML parser (see Figure 30-1). How this is done depends on the XML parser in question, but it is typically just a single line of configuration:
XXE is noted by OWASP to be particularly dangerous against Java-based XML parsers because many have XXE enabled by default. Depending on the language and parser you are relying on, it is possible that XXE is disabled by default. You should always check your XML parser’s API documentation to make sure. Don’t just expect it is disabled by default.
Figure 30-1. XXE attacks can be easily blocked by properly configuring your XML parser
Evaluating Other Data Formats
Depending on your application’s use cases, it may be possible to re-architect the application to rely on a different data format rather than XML. This type of change could simplify the codebase while eliminating any XXE risk. Typically, XML can be interchanged with JSON, making JSON the default when looking at other formats.
JSON, on the other hand, would not be practical if your application is parsing actual XML, SVG, or other XML-derived file types. It would, however, be a practical solution if your application is sending standard hierarchical payloads that just happen ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month, and much more.
