XML is used to transport data between client and a server, for example, between a server and a web browser. But the problem arises when they leverage standard library or platform API to process XML data on the server end. XML specification contain lot of features and standard parsers support these features, which can lead to lot of vulnerabilities.
XML external entities are entities that are loaded outside of DTD, which allows entity to be defined based on contents of a file path/url.
<!ENTITY xxe SYSTEM "file:///location" >
Vulnerabilities exists when XML input that contains reference to external entity is processed by poorly configured XML parser because XML external entity attack works by affecting application that parses XML input. If the system identifier contains corrupt data and XML processor dereferences that corrupted data, attack can be conducted. There are several variations of external entity attacks like performing SSRF, exfiltrating data out of band, retrieving data via error messages, and retrieving files.
HansITAcademy 