XML 外部实体注入 (XXE)
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别:MASVS-CODE:代码质量
概览
XML 外部实体注入 (XXE) 是一种针对解析 XML 输入的应用的攻击。当包含对外部实体的引用的不可信 XML 输入由配置较弱的 XML 解析器处理时,就会发生 XXE 攻击。此攻击可用于预演多种突发事件,包括拒绝服务攻击、文件系统访问或数据渗漏。
影响
当应用解析 XML 文档时,它可以处理文档中包含的任何 DTD(文档类型定义,也称为外部实体)。攻击者可以通过以 DTD 的形式注入恶意代码来利用此行为。然后,此代码可以访问设备文件系统的某些部分,这些部分只能由应用访问,且可能包含敏感数据。此外,此恶意代码可以从设备发出请求,可能会绕过边界安全措施。
最后,如果应用展开 DTD,可能会导致引用的实体多次迭代,耗尽设备资源并导致拒绝服务。
缓解措施
停用 DTD
防止 XXE 的最安全方法是始终完全停用 DTD(外部实体)。根据所使用的解析器,该方法可能类似于以下示例中的 XML Pull Parser 库示例:
Java
XmlPullParserFactory factory = XmlPullParserFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Kotlin
val factory = XmlPullParserFactory.newInstance()
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
此外,停用 DTD 还可以使解析器免受拒绝服务攻击。如果无法完全停用 DTD,则必须以特定于每个解析器的方式停用外部实体和外部文档类型声明。
由于市场上有大量 XML 解析引擎,因此防范 XXE 攻击的方法因引擎而异。如需了解详情,您可能需要参阅引擎文档。
您应重新配置应用,使其不允许用户在 XML 文档的前导中注入任意代码。这必须在服务器端进行验证,因为客户端控件可能会被绕过。
使用其他库
如果所用库或方法无法以安全的方式进行配置,则应考虑使用其他库或方法。XML 拉取解析器和 SAX 解析器都可以以安全的方式进行配置,禁止使用 DTD 和实体。
资源
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-26。
[null,null,["最后更新时间 (UTC):2025-07-26。"],[],[],null,["# XML External Entities Injections (XXE)\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-CODE: Code Quality](https://mas.owasp.org/MASVS/10-MASVS-CODE)\n\nOverview\n--------\n\nAn XML eXternal Entity injection (XXE) is an attack against applications that\nparse XML input. An XXE attack occurs when untrusted XML input with a reference\nto an external entity is processed by a weakly configured XML parser. This\nattack can be used to stage multiple incidents, including denial of service,\nfile system access, or data exfiltration.\n\nImpact\n------\n\nWhen an application parses an XML document, it can process any DTDs (Document\nType Definitions, also known as external entities) contained within the\ndocument. An attacker can exploit this behavior by injecting malicious code as\nDTDs. This code can then access parts of the file system of the device, only\naccessible to the application and potentially containing sensitive data.\nFurthermore, this malicious code can make requests from the device, potentially\nbypassing perimeter security measures.\n\nLastly, if the application expands DTDs,\nthis can create a situation with multiple iterations of referenced entities,\nexhausting the resources of the device and leading to a denial of service.\n\nMitigations\n-----------\n\n### Disable DTDs\n\nThe safest way to prevent XXE is to always disable DTDs (external entities)\ncompletely. Depending on the parser in use, the method could be similar to the\nfollowing example for the XML Pull Parser library: \n\n### Java\n\n XmlPullParserFactory factory = XmlPullParserFactory.newInstance();\n factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n\n### Kotlin\n\n val factory = XmlPullParserFactory.newInstance()\n factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n\nDisabling DTDs also makes the parser secure against denial of service attacks.\nIf it is not possible to disable DTDs completely, then external entities and\nexternal document type declarations must be disabled in a way that's specific to\neach parser.\n\nBecause of the large number of XML parsing engines in the market, the ways to\nprevent XXE attacks differ from engine to engine. You may need to refer to your\nengine documentation for more information.\n\n### Perform input sanitisation\n\nThe application should be reconfigured so that it does not allow users to inject\narbitrary code in the XML document's preamble. This has to be verified\nserver-side, as client-side controls can be bypassed.\n\n### Use a different library\n\nIf the library or method used cannot be configured in a secure manner, a\ndifferent one should be considered. [XML Pull Parser](/reference/org/xmlpull/v1/XmlPullParser) and [SAX Parser](/reference/javax/xml/parsers/SAXParser) can\nboth be configured in a secure manner, disallowing DTDs and entities.\n\nResources\n---------\n\n- [OWASP XXE](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n- [OWASP XXE Prevention Cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n- [XML Constants: FEATURE_SECURE_PROCESSING](/reference/javax/xml/XMLConstants#FEATURE_SECURE_PROCESSING)\n- [XML Pull Parser](/reference/org/xmlpull/v1/XmlPullParser)\n- [SAX Parser](/reference/javax/xml/parsers/SAXParser)"]]