xxelisted

# XXE Detection ## When to Use Audit XML processing endpoints, SOAP services, document importers (DOCX/XLSX/SVG), and any code that parses XML from untrusted sources. ## Key Distinction from Entity Expansion - **XXE** = EXTERNAL entities (`file://`, `http://`) -- reads files or makes HTTP requests - **Entity expansion** = INTERNAL entity recursion (Billion Laughs) -- memory exhaustion DoS Both can exist in the same parser, but they are different vulnerabilities. ## Process ### Step 1: Find XML Parsers ``` # JavaScript grep -rn "DOMParser\|XMLParser\|xml2js\|libxmljs\|xmldom\|sax\|saxes" . # Python grep -rn "xml\.etree\|lxml\|minidom\|xml\.sax\|defusedxml\|xmltodict" . # Go grep -rn "xml\.Decoder\|xml\.Unmarshal\|encoding/xml" . # Java grep -rn "DocumentBuilder\|SAXParser\|XMLReader\|TransformerFactory\|SchemaFactory" . # PHP grep -rn "simplexml\|DOMDocument\|XMLReader\|xml_parse" . # Ruby grep -rn "Nokogiri\|REXML\|Ox\|LibXML" . ``` ### Step 2: Check External Entity Configuration ``` grep -rn "FEATURE_SECURE_PROCESSING\|FEATURE_EXTERNAL_ENTITIES\|FEATURE_GENERAL_ENTITIES" . grep -rn "resolve_entities\|external_entities\|load_external\|noent\|nonet" . grep -rn "disallow-doctype-decl\|external-general-entities\|external-parameter-entities" . grep -rn "XXE\|external.*entity\|doctype" . ``` ### Step 3: Check Default Safety Most modern parsers are SAFE by default. Key exceptions: | Parser | Default External Entities | Safe? | |--------|--------------------------|