C Sharp Xxe Dtdprocessing Parse
Description
Detects XML External Entity (XXE) vulnerabilities in C# code where XmlReader is created with settings that enable DTD processing. This configuration could allow an attacker to include external entities in XML input, potentially leading to information disclosure, denial of service, or server-side request forgery.
Detection Strategy
• Identifies usages of System.Xml namespace in the codebase
• Looks for calls to XmlReader.Create method
• Checks if the XmlReader.Create call has at least 2 arguments - a StringReader and XmlReaderSettings
• Verifies if the XmlReaderSettings object enables DTD processing through its property settings
• Reports a vulnerability when XML parsing is configured with DTD processing enabled
Vulnerable code example
using System.Xml;
using System.IO;
public class XmlProcessor {
public void ProcessXml(string input) {
var settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Parse; // Vulnerable: Enables external entity processing
...✅ Secure code example
using System.Xml;
using System.IO;
public class XmlProcessor {
public void ProcessXml(string input) {
var settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit; // Secure: Prevents XXE attacks by blocking DTD processing
settings.XmlResolver = null; // Additional security: Prevents external resource resolution...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.