https://www.secdev.uk/blog/tags/xml/ Recent content in XML on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 31 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-31-xxe-attacks/ Sat, 31 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-31-xxe-attacks/ <p>XML External Entity injection is one of those vulnerabilities that fascinated me the more I dug into it. The core issue is that the XML spec supports external entities, a feature that lets XML documents pull in content from external sources, and most parsers enable this by default. When an app parses untrusted XML without disabling that feature, an attacker can read arbitrary files off the server, perform SSRF, and sometimes even get remote code execution. What surprised me most when researching this was how straightforward the exploitation is compared to how long these bugs survive in production, the attack payloads are simple, but the parser defaults are so permissive that developers often have no idea the risk exists.</p>