XML external entity attack

The standard defines a concept called an entity, which is a term that refers to multiple types of data unit.

The XML processor then replaces occurrences of the named external entity with the contents that is referenced by the system identifier.

In some situations, an XML processor library that is vulnerable to client-side memory corruption issues may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account.

Other attacks can access local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.

Since the entire XML document is communicated from an untrusted client, it is not usually possible to selectively validate or escape tainted data within the system identifier in the DTD.