Secure code review · Jan 28, 2024

Finding XML Vulnerabilities in Code

How insecure XML parsing creates exploitable application behavior and what engineering teams can do about it.

Written by Muqsit Baig

Parser defaults can become attack paths.

XML remains common in integrations, document formats, configuration, and legacy APIs. Its flexibility is useful, but unsafe parser defaults can expose applications to serious vulnerabilities.

Common XML vulnerabilities in the wild

The most familiar class is XML External Entity injection, or XXE. When an application accepts untrusted XML and permits external entity resolution, an attacker may be able to read local files, reach internal services, or trigger denial-of-service conditions. Blind XXE can still be exploitable when the response does not contain the result, because the parser may make an observable outbound request.

Other risky features include entity expansion, XInclude, XSLT, and remote schema resolution. These behaviors can create server-side request forgery, resource exhaustion, or unexpected access to local and remote content.

What is an XML parser?

An XML parser turns markup into a structure the application can work with. Security depends on how that parser is configured, especially whether it processes document type definitions, external entities, or remote resources. The secure setting is language and library specific, so teams should verify the behavior of the exact parser and version they deploy.

Find every indirect XML input

Review every place the application accepts XML, including SOAP and SAML messages, file uploads, office documents, SVG images, RSS feeds, and backend integrations. Content-type validation alone is not enough when compressed or container formats can include XML internally.

Test behavior, not only configuration

Code review should identify parser construction and feature flags, while controlled runtime testing should confirm that external resolution is disabled. Review error behavior, outbound network activity, payload-size limits, recursion limits, and timeouts. A configuration that appears secure can be bypassed if a second parser or transformation step processes the same input later.

Secure implementation guidance

Use hardened parser settings, disable DTD and external entity processing unless there is a strict business need, prevent remote resource resolution, validate expected schemas, limit payload size, and keep parsing libraries updated. Add regression tests that fail when dangerous features are re-enabled.

Research notes

Questions that turn guidance into a review.

Use these prompts to challenge assumptions, collect evidence, and make the article actionable for engineering and security teams.

Review questions
  1. Where can untrusted XML reach a parser, including indirect file and document formats?
  2. Does the parser process DTDs, external entities, XInclude, XSLT, or remote schemas?
  3. Can parser behavior reach local files, internal services, or excessive resource consumption?
  4. Are content type, payload size, schema, and parser configuration enforced consistently?
Evidence and signals
  • SOAP, SAML, SVG, office document, upload, and integration code paths
  • External entity resolution, blind callbacks, error differences, and local file references
  • Entity expansion, deeply nested input, oversized payloads, and parser timeouts
  • Language-specific secure parser settings and tests that prevent regression
Primary references

References support the review approach; they do not replace architecture-specific threat modeling or validation.

Start with a focused conversation

Ready to test what matters before attackers do?

Tell us what you are building, changing, or concerned about. We will help you define the right security review.

Request a security review Explore services