Skip to content

CWE-611: XML External Entity (XXE)

Overview

This issue was identified during dynamic (DAST) scanning based on observed runtime behavior indicating that untrusted XML input influenced parser behavior, such as external entity resolution or DTD processing. Confirmation requires reviewing XML parser configuration.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-611 typically indicate runtime behavior consistent with unsafe XML parsing, such as:

  • External entities being resolved during XML parsing
  • DTD processing occurring on untrusted input
  • Application behavior changing based on crafted XML structure

Evidence is based on observed parser behavior at runtime, not on request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-611 does not hinge on a single vulnerable parameter or endpoint. The issue resides in how XML parsers are configured and invoked.

When tracing this issue in code, look for:

  • XML parser initialization and configuration
  • Whether external entity resolution or DTD processing is enabled
  • Libraries used to parse XML from untrusted sources
  • Shared parser utilities or framework defaults

Remediation

Core Principle: Never allow untrusted XML input to influence parser structure or external resource resolution; XML parsing behavior must be fully constrained by the server.

→ For comprehensive remediation guidance, see Static CWE-611 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

Verification and Follow-Up Testing

After applying the fix:

1. Verify Parser Configuration

  • Confirm external entity resolution is disabled
  • Verify DTD processing is disabled or safely constrained

Validate Runtime Behavior

  • Ensure XML input cannot influence external resource access
  • Confirm malformed or entity-based XML is safely rejected or ignored

Test Edge Cases

  • Different XML document types
  • Alternative encodings
  • Large or deeply nested documents

Re-run DAST Scanner

Re-run the dynamic scanner to confirm unsafe XML parsing behavior is no longer observed.

Additional Resources