Improper Restriction of XML External Entity Reference ('XXE')
Description
External XML entities can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS). XML parsers and document loaders must be configured to not resolve entities.
Examples
Insecure Code
c#
var settings = new XmlReaderSettings(); settings.ProhibitDtd = false; XmlReader reader = XmlReader.Create(path, settings);Secure Code
c#
var settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Prohibit; XmlReader reader = XmlReader.Create(path, settings);Remediation
Set `XmlReaderSettings` `DtdProcessing` to `DtdProcessing.Prohibit` or ensure .NET Framework version is greater than 4.5.2
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0454 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML External Entity |
| OWASP | A1:2017-Injection, A03:2021-Injection |