Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.
With XXE enabled, it is possible to create a malicious XML that reads the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities. In this video, I explain how XXE injection works, and I demonstrate how you can prevent these types of attacks in your own Java code.