A critical XML External Entity (XXE) vulnerability where .NET applications parse untrusted XML input using XmlDocument with DTD processing enabled. This allows attackers to read local files, perform Server-Side Request Forgery (SSRF) attacks, cause denial of service through entity expansion bombs, and potentially execute arbitrary code. XXE attacks can expose sensitive configuration files, credentials, and internal network resources.
// VULNERABLE: XmlDocument with default DTD processing
using System;
using System.Xml;
using System.IO;
public class VulnerableXmlProcessor
{
// SECURITY ISSUE: DTD processing enabled, XmlResolver not disabled
public static void ProcessUserXml(string xmlContent)
{
XmlDocument doc = new XmlDocument();
// VULNERABLE: Default settings allow XXE attacks
// DTD processing is enabled by default
// XmlResolver allows external entity loading
doc.LoadXml(xmlContent);
// Process the document
Console.WriteLine("Root element: " + doc.DocumentElement.Name);
}
// VULNERABLE: Loading XML from file without security
public static XmlDocument LoadConfigFile(string filePath)
{
XmlDocument doc = new XmlDocument();
// SECURITY ISSUE: No protection against XXE in file content
doc.Load(filePath);
return doc;
}
// VULNERABLE: Processing XML from web request
public static void ProcessWebXml(Stream xmlStream)
{
XmlDocument doc = new XmlDocument();
// SECURITY ISSUE: Untrusted XML from web request
// Could contain malicious DTD and external entities
doc.Load(xmlStream);
// Extract data from XML
XmlNodeList nodes = doc.SelectNodes("//data");
foreach (XmlNode node in nodes)
{
Console.WriteLine(node.InnerText);
}
}
}// SECURE: XmlDocument with XXE protection
using System;
using System.Xml;
using System.IO;
public class SecureXmlProcessor
{
// SECURE: Disabled external entity resolution
public static void ProcessUserXmlSecure(string xmlContent)
{
XmlDocument doc = new XmlDocument();
// SECURE: Disable external entity resolution
doc.XmlResolver = null;
doc.LoadXml(xmlContent);
Console.WriteLine("Root element: " + doc.DocumentElement.Name);
}
// SECURE: Loading XML with DTD protection
public static XmlDocument LoadConfigFileSecure(string filePath)
{
// Use XmlReader with secure settings
XmlReaderSettings settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Prohibit, // Disable DTD processing
XmlResolver = null // Disable external resolution
};
XmlDocument doc = new XmlDocument();
doc.XmlResolver = null;
using (XmlReader reader = XmlReader.Create(filePath, settings))
{
doc.Load(reader);
}
return doc;
}
// SECURE: Processing XML from web request
public static void ProcessWebXmlSecure(Stream xmlStream)
{
// Secure XML processing
XmlReaderSettings settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Prohibit,
XmlResolver = null
};
XmlDocument doc = new XmlDocument();
doc.XmlResolver = null;
using (XmlReader xmlReader = XmlReader.Create(xmlStream, settings))
{
doc.Load(xmlReader);
}
// Process the secure document
XmlNodeList nodes = doc.SelectNodes("//data");
foreach (XmlNode node in nodes)
{
Console.WriteLine(node.InnerText);
}
}
}The vulnerable examples show XmlDocument usage with default DTD processing that enables XXE attacks. The secure implementations disable external entity resolution, implement input validation, and use secure XmlReaderSettings to prevent XXE vulnerabilities.
XmlDocument in .NET Framework enables DTD processing by default, allowing external entity resolution when parsing untrusted XML. This commonly occurs when developers are unaware of the security implications of DTD processing or when using legacy XML parsing patterns that predate modern security practices.
Sourcery automatically identifies c# xmldocument xxe via dtd processing of public input and many other security issues in your codebase.