XML External Entities (XXE), listed as A04 in the OWASP Top 10 for 2017, is a vulnerability that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. Attackers can exploit this to access internal files, perform server-side request forgery (SSRF), or reveal sensitive data. This risk often affects applications that accept XML uploads or SOAP messages without disabling external entity processing. To prevent XXE, developers should disable DTDs, use secure parsers, and prefer safer data formats like JSON when possible.
