💠 Some of the ways to prevent XML External Entity attacks, according to OWASP, are:
🔹 Whenever possible, use less complex data formats ,such as JSON, and avoid serialization of sensitive data.
🔹 Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.
🔹 Use dependency checkers (update SOAP to SOAP 1.2 or higher).
🔹 Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet ‘XXE Prevention.’
🔹 Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
🔹 Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
🔹 SAST tools can help detect XXE in source code – although manual code review is the best alternative in large, complex applications with many integrations.
💠 If these controls are not possible, consider using:
🔹 Virtual patching
🔹 API security gateways
🔹 Web Application Firewalls (WAFs) to detect, monitor, and block XXE attacks
✅ That’s it! you are done.