Loading [MathJax]/extensions/MathMenu.js
Defending Against XML External Entity (XXE) Attacks: A Review and Comparative Analysis of Prevention Mechanisms | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2024 International Conference...

Defending Against XML External Entity (XXE) Attacks: A Review and Comparative Analysis of Prevention Mechanisms

PDF
Bhavesh Hulloowan; Girish Bekaroo
All Authors

Abstract:

With advancing technologies, Extensible Markup Language (XML) has become a popular document format that is used by a wide range of applications. This document format is u...Show More

Metadata

Abstract:

With advancing technologies, Extensible Markup Language (XML) has become a popular document format that is used by a wide range of applications. This document format is used for storing, exchanging, and representing data across diverse systems and platforms thereby ensuring interoperability in various applications. However, XML parsers are susceptible to a specific vulnerability known as XML External Entity (XXE) attacks. These attacks exploit weaknesses in XML processing, potentially leading to serious security breaches in systems that lack adequate security mechanisms. Whilst limited published literature has investigated XXE attacks, this study comprehensively reviews six different strategies for preventing such attacks, to eventually analyze and evaluate their effectiveness in mitigating XXE attacks. Techniques reviewed include use of XML Parser Configuration, whitelists, user input validation, static code analysis, honeypot and web application firewalls. The findings indicate that completely disabling external entities within XML parsers is the most effective approach for preventing XXE attacks. In addition, the research highlights the critical role of proper configuration and adherence to stringent security practices in XML parsing.
Published in: 2024 International Conference on Next Generation Computing Applications (NextComp)
Date of Conference: 24-26 October 2024
Date Added to IEEE Xplore: 13 December 2024
ISBN Information:
DOI: 10.1109/NextComp63004.2024.10779957
Conference Location: Mauritius
Contents

I. Introduction

XML was created to be a document format that is human-readable and easy to process by programs in 1998 by the World Wide Web Consortium [1]. Since its creation, XML has been used to define and store data for lots of applications and protocols. Open Office XML (OOXML) documents, SVG image format and SOAP networking protocol all rely on XML at their core. This was made possible by the extensible nature of XML. Developers can easily customise it to accommodate new functionalities to suit their needs [2]. However, this also means that security flaws found in XML, could impact other programs. There is one vulnerability that affect almost all applications that use XML, named XML External Entity Injection.

Contact IEEE to Subscribe
More Like This
State of the Art of the Security of Code Generated by LLMs: A Systematic Literature Review

2024 12th International Conference in Software Engineering Research and Innovation (CONISOFT)

Published: 2024

Security Defect Detection via Code Review: A Study of the OpenStack and Qt Communities

2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

Published: 2023

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.