How to Detect XXE Attacks from Text Input in Java

XML (Extensible Markup Language) is an incredibly popular data format that can be used in a variety of ways; from documents to images to videos, XML does them all. However, the very design of XML requires that an application parse the request to create an output, which provides an opening for XML External Entity (XXE) attacks. XXE attacks can exploit vulnerabilities within Document Type Definitions (DTD) in XML parsers to replace entities and cause a denial of service or utilize Server Side Request Forgery (SSRF) to gain access to sensitive data. These attacks do not discriminate on who they target; if your applications use a parser to interpret XML data, they have the potential for infiltration. Even several high-profile companies reported finding and being exposed to this type of attack over the past few years.

While XXE attacks may not get the press that viruses, malware, and social engineering threats are getting these days, they are still a very prominent and often missed form of attack. XXE attackers transmit their own values through the entities and force the application to display them; certain XML entities allow XML as input, and these are the endpoints that are particularly susceptible. Since these threats fall outside the protection of your basic anti-virus software, the job of protecting a web application from XXE attacks will often fall to the developer. Instead of spending time developing a workaround, we will demonstrate how you can automate the detection of XXE attacks from a single text input or multiple text inputs in batch by using the following APIs in Java.