XML Security Inspector

Frequently Asked Questions

What is the XML Security Inspector?

The XML Security Inspector is a client-side tool that analyzes XML documents for common security vulnerabilities including XXE (XML External Entity) attacks, DTD injection, entity expansion attacks (Billion Laughs / XML bombs), CDATA injection with script content, suspicious processing instructions, and excessive nesting depth. It calculates a security score and provides actionable remediation recommendations.

What is an XXE (XML External Entity) attack?

XXE is an attack against applications that parse XML input. It exploits the XML external entity feature to access local files (file:///etc/passwd), perform server-side request forgery (SSRF), or exfiltrate data. Attackers define an entity with a SYSTEM identifier pointing to a sensitive resource, and when the entity is referenced in the document, the parser fetches and includes that content.

What is a Billion Laughs attack?

The Billion Laughs attack (also called XML bomb) is a denial-of-service attack that uses nested entity definitions to cause exponential memory expansion. A small XML document (few KB) can expand to gigabytes of memory when entities recursively reference other entities, each multiplying the content. For example, 10 levels of entities each referencing the previous 10 times expands to 10^10 (10 billion) copies of the base string.

Is my XML content sent to a server?

No. All analysis happens entirely in your browser using JavaScript and the browser-native DOMParser API. Your XML content — which may contain sensitive configuration data, API keys, or internal infrastructure details — never leaves your device and is never stored, logged, or transmitted.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues (XXE external entities, entity expansion chains) deduct 25 points, High issues (internal DTD, CDATA with scripts) deduct 15, Medium issues (excessive nesting, HTML in CDATA) deduct 8, and Low issues (processing instructions) deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Why is CDATA flagged as a security issue?

CDATA sections bypass XML parsing and can contain arbitrary text including HTML and JavaScript. If an application renders CDATA content in a web page without sanitization, an attacker can inject script tags, event handlers, or iframes to execute XSS attacks. The inspector flags CDATA sections containing script-like content or HTML injection vectors.

How do I fix XXE vulnerabilities?

The primary defense is to disable DTD processing and external entity resolution in your XML parser. In Java, set XMLConstants.FEATURE_SECURE_PROCESSING to true and disable external entities. In Python, use defusedxml. In PHP, use libxml_disable_entity_loader(). In .NET, set XmlReaderSettings.DtdProcessing to Prohibit. As a general rule, never allow user-controlled XML to define or reference external entities.

What is the difference between internal and external DTD?

An internal DTD is declared inline within the DOCTYPE declaration (<!DOCTYPE root [...declarations...]>) and defines entities/rules directly in the document. An external DTD references a separate file via SYSTEM or PUBLIC identifiers. Both are dangerous: internal DTDs enable entity expansion attacks, while external DTDs enable XXE by fetching remote resources. The safest approach is to disable DTD processing entirely.

Does this tool validate XML correctness?

The tool performs basic XML well-formedness validation using the browser's native DOMParser before security analysis. However, its primary purpose is security vulnerability detection, not schema or DTD validation. For XML syntax validation, use our XML Validator tool. For formatting, use our XML Formatter.