Security misconfiguration ranks as #5 in the OWASP Top 10 (2021) — and XML External Entity (XXE) vulnerabilities are a textbook example of this issue. While XML remains a foundational data format in many Java applications, improper configuration of XML parsers can expose serious security holes. XXE attacks are often overlooked but can lead to data leakage, denial of service, and even remote code execution when left unmitigated.
This article explores how XXE vulnerabilities arise in Java, why they are dangerous, and how you can defend your applications with secure configuration practices.
What is an XXE Attack?
XXE attacks exploit the ability of XML parsers to define and load external entities. These entities can reference external resources, such as files or URLs, which opens the door to attacks like file disclosure and SSRF (Server-Side Request Forgery).
A simple malicious XML payload might look like this:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
When a vulnerable XML parser processes this payload, it will try to replace &xxe; with the contents of /etc/passwd, potentially exposing sensitive data to the attacker.
XXE in Java: Common Pitfalls
Java provides many ways to parse XML—such as JAXP, JAXB, DOM, and SAX—but unfortunately, many of these parsers are not secure by default. Consider the following unprotected code:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(new InputSource(new StringReader(xml)));This parser will process external entities unless explicitly configured to disable them.
To mitigate XXE, apply these defensive settings:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Adding these three properties works for the most parser
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// Additionally you can add these features, espacially for the SAXReader
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);These settings neutralize malicious XML input by preventing the parser from resolving external entities.
Best Practices for Preventing XXE in Java
- Use secure XML parser settings: If possible disable DTDs and external entities.
- Avoid XML where possible: Use safer alternatives like JSON unless XML is strictly required.
- Validate all input: Enforce schema validation and content restrictions.
- Apply the principle of least privilege: Limit file and network access for the application runtime.
- Keep dependencies updated: Stay current with XML libraries and patch known issues.
Conclusion
XXE vulnerabilities are a subtle but serious threat in Java applications — especially when using default or legacy XML configurations. They perfectly illustrate why security misconfiguration continues to rank high on OWASP’s list of common risks.
If you’re developing Java applications and want to safeguard them against XXE and similar security flaws, I’m here to help. I offer consulting, code reviews, and secure development guidance tailored to your needs.
👉 Feel free to get in touch with me for a personal consultation or hands-on support. Let’s make your application bulletproof together!
Stay safe, code smart! 😎
Check out also my other posts, e.g Path Traversal via File Upload in Java