Safeguard
Tag

xml-security

Safeguard articles tagged "xml-security" — guides, analysis, and best practices for software supply chain and application security.

8 articles

Application Security

Finding and fixing XXE vulnerabilities across common XML parsers

XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.

Jul 13, 20267 min read
Application Security

XPath injection: how it happens and how to stop it in Java, .NET, and PHP

A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.

Jul 13, 20266 min read
Application Security

Preventing XML external entity (XXE) injection

XXE injection lets attackers read local files, trigger SSRF, or crash servers via XML parsers. Here is how it works and how to shut it down for good.

May 28, 20267 min read
Vulnerability Analysis

What is XML External Entity (XXE) Injection

XXE injection lets attackers abuse XML parsers to read files, trigger SSRF, or crash services. Here's how it works, real CVEs, and how to stop it.

Mar 30, 20266 min read
Industry Analysis

XPath Injection Vulnerabilities

XPath injection lets attackers rewrite XML queries to bypass logins and steal data. Here is how it works, real incidents, and how Safeguard defends against it.

Nov 9, 20258 min read
Industry Analysis

XXE Prevention in Ruby with Nokogiri NONET/NOENT

Nokogiri wraps libxml2, and one misconfigured parse call can leak local files or trigger SSRF. Here's how NONET and NOENT actually work, and how to lock them down.

Oct 23, 20258 min read
Industry Analysis

XXE Prevention in Python with resolve_entities=False

Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.

Oct 22, 20257 min read
Code Security

XML External Entity (XXE) Prevention: Disabling the Features That Attack You

XXE attacks exploit XML parser features that most applications never need. Here is how to disable them across every major language and framework.

Feb 18, 20245 min read
xml-security — Safeguard Blog