HIGH xml external entitiesaspnetcsharp

Xml External Entities in Aspnet (Csharp)

Scan for xml external entities in aspnet

Xml External Entities in Aspnet with Csharp

XML External Entity (XXE) injection occurs when an application processes XML input that references external entities, and this risk is present in ASP.NET applications that deserialize XML in C#. If an ASP.NET endpoint accepts XML payloads—such as SOAP messages, configuration uploads, or legacy web service inputs—and uses .NET XML parsers without disabling external entity resolution, an attacker can leverage external entities to read local files, cause SSRF, or enumerate internal resources.

In C#, common entry points include XmlDocument, XmlReader, and XDocument when configured without secure settings. For example, using XmlDocument with default settings allows the parser to resolve external DOCTYPE declarations, which can be abused to load file:// URLs or trigger HTTP requests to attacker-controlled endpoints. A vulnerable pattern looks like this:

// Vulnerable: XmlDocument processes external entities by default
var xml = new XmlDocument();
xml.LoadXml(requestBody); // requestBody contains external entity references
var value = xml.SelectSingleNode("//data")?.InnerText;

An attacker can supply a payload such as:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
               <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root><data>&xxe;</data></root>

If the XML parser resolves the external entity, the contents of /etc/passwd may be included in the response or exfiltrated via a secondary channel. ASP.NET applications that use WCF with custom bindings or legacy ASMX services may also be affected when XML deserialization is enabled without appropriate safeguards. Because ASP.NET often runs with elevated trust in certain hosting configurations, successful XXE can lead to sensitive file disclosure and potential lateral movement within the runtime environment.

Beyond file disclosure, XXE can be chained with SSRF by directing external entity references to internal metadata services or local network services. For example, an external entity pointing to http://169.254.169.254/latest/meta-data/ can expose cloud instance metadata if the host is reachable from the parser. This amplifies the impact within cloud-hosted ASP.NET services. The vulnerability remains relevant when input validation is weak and XML processing is not explicitly hardened, even when using newer APIs that still rely on underlying .NET XML stacks.

Csharp-Specific Remediation in Aspnet

Securing XML processing in C# requires disabling external entity resolution and restricting DTD processing. The most effective approach is to use secure settings on the XML parser and avoid legacy APIs where possible. For XmlDocument, you can configure an XmlReaderSettings object that disables DTD processing and external entities, then use it to create an XmlReader for controlled parsing.

// Secure: XmlReader with DTD and external entity processing disabled
var settings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Prohibit,
    XmlResolver = null
};
using (var reader = XmlReader.Create(new StringReader(requestBody), settings))
{
    var xml = new XmlDocument();
    xml.Load(reader);
    var value = xml.SelectSingleNode("//data")?.InnerText;
}

For LINQ to XML (XDocument), you can achieve similar safety by using an XmlReader with the same settings:

// Secure: XDocument via XmlReader with restricted settings
var settings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Prohibit,
    XmlResolver = null
};
using (var reader = XmlReader.Create(new StringReader(requestBody), settings))
{
    var doc = XDocument.Load(reader);
    var value = doc.Descendants("data").FirstOrDefault()?.Value;
}

If you must work with XmlDocument directly and cannot change the parsing pattern globally, you can disable external resources by setting the resolver to null before loading, though using XmlReader is preferred:

// Partially safer: XmlDocument with resolver disabled
var xml = new XmlDocument();
xml.XmlResolver = null;
xml.LoadXml(requestBody);

In ASP.NET Web API or MVC, additional mitigations include validating incoming content types and rejecting XML when JSON or other safer formats suffice. For SOAP services, consider migrating to modern stacks that rely on JSON or explicitly configure secure bindings. Regularly scan your API surface with middleBrick to detect XXE and related issues; the scanner checks XML processing configurations as part of its Input Validation and Property Authorization checks. If your organization requires continuous assurance, the middleBrick Pro plan provides ongoing monitoring and CI/CD integration to fail builds when insecure XML handling is detected.

Scan for xml external entities in aspnet Free API security scan

Frequently Asked Questions

Can XXE occur in ASP.NET Core if I use JSON inputs only?
Yes, if your ASP.NET Core application includes XML deserialization endpoints or libraries that parse XML (e.g., for legacy protocols), XXE remains possible. JSON inputs are not vulnerable to XXE, but avoid introducing XML parsers unless necessary and always harden them as described.
Does enabling ASP.NET request validation protect against XXE?
No. ASP.NET request validation targets HTML/script injection, not XML entity expansion. You must explicitly configure DtdProcessing and XmlResolver on every XML parser to prevent XXE.

Related Pages

Xml External Entities in AspnetLearn how XML External Entities (XXE) vulnerabilities manifest in ASP.NET applications, how to detect them with middleBrCWE-1104 in Aspnet (Csharp)CWE-1104 in ASP.NET with C#: causes, risks, and C#-specific fixes using empty collections and null-coalescing patterns.CWE-116 in Aspnet (Csharp)Understand CWE-116 in ASP.NET with C#: causes, real code examples, and context-specific encoding fixes for HTML, JavaScrCWE-113 in Aspnet (Csharp)CWE-113 in ASP.NET with C#: risks, examples, and secure coding fixes for CRLF injection in headers and redirects.CWE-1039 in Aspnet (Csharp)CWE-1039 in ASP.NET with C#: exposure of environment and module data. Secure coding examples and remediation patterns.Hipaa: Xml External Entities in AspnetLearn how XML External Entity risks manifest in ASP.NET apps under HIPAA, and apply concrete .NET code fixes to disable Gdpr: Xml External Entities in AspnetLearn how GDPR intersects with XXE in ASP.NET, and apply concrete code fixes to secure XML parsing and protect personal Xml External Entities in Aspnet with Bearer TokensUnderstand how XML External Entities interact with bearer tokens in ASP.NET and apply secure XmlReader and XmlDocument cIso 27001: Xml External Entities in AspnetISO 27001 and XXE in ASP.NET: secure XML parsing examples and remediation guidance. Understand risks and apply DtdProcesCis: Xml External Entities in AspnetExplore XML External Entity risks in ASP.NET: how insecure parsing occurs and concrete code fixes to disable DTD processXml External Entities in Aspnet with Hmac SignaturesXml External Entities in Aspnet with Hmac Signatures: risks and secure parsing patterns with HMAC verification in ASP.NEXml External Entities in Aspnet with Basic AuthUnderstand XML External Entity risks in ASP.NET with Basic Auth, and apply secure XML parsing and authentication practic