Loading...
Loading...
XML External Entity vulnerability allowing file disclosure through unsafe XML parsing.
1from lxml import etree23def parse_user_data(xml_string):4 # Parse XML from user input5 parser = etree.XMLParser()6 doc = etree.fromstring(xml_string, parser)78 user_data = {9 'name': doc.find('name').text,10 'email': doc.find('email').text,11 'role': doc.find('role').text12 }1314 return user_data
The vulnerable code uses XMLParser without disabling external entity resolution. Attackers can inject DTD declarations to read local files or perform SSRF. The secure version disables resolve_entities, no_network, and DTD loading.
Inject DTD to read sensitive system files
<?xml version="1.0"?><!DOCTYPE data [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><user><name>&xxe;</name><email>x@x.com</email><role>user</role></user>Returns /etc/passwd contents in name field