xml-external-entity
Safeguard articles tagged "xml-external-entity" — guides, analysis, and best practices for software supply chain and application security.
6 articles
XXE (XML External Entity) attack
A precise breakdown of what an XXE attack is, how XML external entity injection works, a real-world exploit example, the billion laughs attack, and prevention techniques.
XML External Entity (XXE) injection explained
XXE injection lets attackers abuse XML parsers to read files, hit cloud metadata via SSRF, or crash servers — here's how it works and how to stop it.
XXE Examples: Annotated Payloads and Fixes
Concrete xxe examples showing how a malicious external entity reference reads local files or reaches internal services through an XML parser, and the config change that closes it.
XXE Attack Walkthroughs: What a Good Demo Actually Shows
Most XXE video walkthroughs stop at proof-of-concept file reads — here's what a genuinely useful one covers, plus the Java fix that actually closes the hole.
Fixing XXE in Java: A Parser-by-Parser Hardening Guide
A parser-by-parser XXE fix for Java, covering DocumentBuilderFactory, SAXParser, XMLInputFactory, TransformerFactory, and the XML libraries that still ship unsafe defaults.
XXE Attacks Explained: XML External Entity Injection
How an XXE attack turns a trusting XML parser into a file-reading, request-forging liability, with a concrete Java example and the parser flags that shut it down.