The safest way to prevent XXE is to always disable External Entities completely. Disabling these also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs CVE-2019-5442 which is specifically aimed at parsers of XML documents.
In October 2019, the Kubernetes API server GitHub repository by StackRox was discovered to have a security issue through its deployment of YAML that makes it vulnerable to the billion laughs attack for DoS. StackRox themselves stated, “The issue once again serves as a reminder that, like all software, Kubernetes is vulnerable to zero-day exploits”.
EXAMPLE OF AN ATTACK
This Java example uses the XMLReader library which directly parses this XML file with underlying XML libraries. During this operation, the external entity will be resolved and retrieved i.e. the common.xml, which could be a shared XML file for multiple users of the system and may be controlled by some external user of the system. If a malicious user meticulously crafts some content in that file, it would cause the downstream system to have its configurations endangered.
Previous OWASP article: OWASP #3 Broken Authentification
Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.