Fluid Attacks Database

Description

Detects unsafe XML External Entity (XXE) configurations in C# code by identifying insecure XmlResolver usage. When XML resolvers are not properly restricted, they can allow processing of external entities which may lead to server-side request forgery (SSRF), file disclosure, or denial of service attacks.

Weakness:

083 - XML injection (XXE)

Category: Unexpected Injection

Detection Strategy

• Identifies code that uses XmlResolver without proper security restrictions

• Checks XML processing components for unsafe resolver configurations

• Reports vulnerabilities when XmlResolver is used in a way that allows external entity resolution

• Examines XML reader/parser initialization for missing security controls

Vulnerable code example

using System.Xml;

public static void ProcessXml()
{
    XmlDocument doc = new XmlDocument();
    doc.XmlResolver = new XmlUrlResolver(); // Vulnerable: Enables external entity processing
    doc.LoadXml("<?xml version='1.0'?><root/>");
}

✅ Secure code example

using System.Xml;

public static void ProcessXml()
{
    XmlDocument doc = new XmlDocument();
    doc.XmlResolver = null; // Secure: Disables external entity processing
    doc.LoadXml("<?xml version='1.0'?><root/>");
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.