XXE happens because
- Recent XML parsers have started allowing external entities
- Older XML parsers did not disable external entities
- Recent XML parses have started disabling external entities
- Older XML parsers are just now implementing external entities
Newer data formats such as XML are replacing older ones such as JSON
XXE can be abused by
- Grabbing files from the server
- Not implementing the token correctly
- Executing local code
- Executing remote code
Some tips to protect against XXE are
- Preferably, do allow any user as part of an XML request or as a full request
- Verify the token at all requests
- If you must allow XML external entities due to technical constraints, make sure to filter and validate user input properly.
- Implement effective firewalls against SQLi
- None of the above