xml-security
Safeguard articles tagged "xml-security" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Finding and fixing XXE vulnerabilities across common XML parsers
XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.
XPath injection: how it happens and how to stop it in Java, .NET, and PHP
A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.
Preventing XML external entity (XXE) injection
XXE injection lets attackers read local files, trigger SSRF, or crash servers via XML parsers. Here is how it works and how to shut it down for good.
What is XML External Entity (XXE) Injection
XXE injection lets attackers abuse XML parsers to read files, trigger SSRF, or crash services. Here's how it works, real CVEs, and how to stop it.
XPath Injection Vulnerabilities
XPath injection lets attackers rewrite XML queries to bypass logins and steal data. Here is how it works, real incidents, and how Safeguard defends against it.
XXE Prevention in Ruby with Nokogiri NONET/NOENT
Nokogiri wraps libxml2, and one misconfigured parse call can leak local files or trigger SSRF. Here's how NONET and NOENT actually work, and how to lock them down.
XXE Prevention in Python with resolve_entities=False
Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.
XML External Entity (XXE) Prevention: Disabling the Features That Attack You
XXE attacks exploit XML parser features that most applications never need. Here is how to disable them across every major language and framework.