Get a Pentest and security assessment of your IT network.

Request a quote
Cyber Security

XXE Attacks on Static Sites

January 3, 2026

TL;DR

Yes, even a static HTML site can be vulnerable to XML External Entity (XXE) attacks if it processes user-supplied XML data. This is usually through server-side components like form processing scripts or build tools that handle XML configuration files.

What is an XXE Attack?

An XXE attack exploits vulnerabilities in applications that parse XML input. Attackers inject malicious XML code to:

  • Read local files: Access sensitive data on the server.
  • Internal scans: Discover internal network structure.
  • Denial of Service (DoS): Crash the application by consuming resources.

How can a Static Site be Vulnerable?

Static sites themselves don’t directly parse XML, but vulnerabilities often exist in these areas:

  • Form Processing: If your static site has forms that submit data to a server-side script (e.g., PHP, Python) and that script parses XML, it’s vulnerable.
  • Build Processes: Static site generators (like Jekyll, Hugo) might use XML configuration files. If these are modified by user input during build time, an XXE vulnerability is possible.
  • Third-Party Integrations: Any server-side component integrated with your static site that handles XML data could be a point of attack.

How to Prevent XXE Attacks

  1. Disable External Entities: This is the primary defense.
    • PHP: Modify your php.ini file: 
      xml_disable_entity_loader = On
    • Python (lxml): Use a parser that disables external entities by default, or explicitly disable them. 
      from lxml import etree
parser = etree.XMLParser(resolve_entities=False)
tree = etree.fromstring(data, parser)
    • Java: Configure your XML parsers to disable external entities. 
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-external-entities", true);
documentBuilder = dbf.newDocumentBuilder();
  2. Input Validation: While not a complete solution, validate XML input to ensure it conforms to expected schemas.
    • Restrict allowed characters and tags.
    • Use whitelisting instead of blacklisting.
  3. Least Privilege: Run your server-side processes with the minimum necessary permissions. This limits the damage an attacker can do if they exploit a vulnerability.
  4. Regular Updates: Keep all software (libraries, frameworks) up to date to patch known vulnerabilities.
  5. Web Application Firewall (WAF): A WAF can help detect and block XXE attacks.

Testing for XXE

You can test for XXE by sending a malicious XML payload to your server-side component. Here’s an example:



]>
&xxe;

If the server is vulnerable, this payload will attempt to read the /etc/passwd file. Look for the contents of that file in the response.

9
Share:
Related posts
Cyber Security

Zip Codes & PII: Are They Personal Data?

January 3, 2026
Cyber Security

Zero-Day Vulnerabilities: User Defence Guide

January 3, 2026
Cyber Security

Zero Knowledge Voting with Trusted Server

January 3, 2026
Cyber Security

ZeroNet: 51% Attack Risks & Mitigation

January 3, 2026