Objective-C : XML external entity (XXE injection)

XXE (XML eXternal Entity) attack is possible. An attacker can cause failures in the application work or gain access to sensitive data.

XML provides a mechanism to enable including third-party files’ content into the file via the entity mechanism defined in the DTD (Document Type Definitions). If an external entity is defined in the XML header, the developer is able to use its contents in XML file. Herein validation of external entities at XML parsing phase is not performed.

If the application works with the XML file received from an untrusted source (e.g., user input), an attacker is able to inject malicious or not provided by the application external entity into the XML file, and thus disrupt the functionality of the application.