XML External Entity (XXE) Prevention

XXE vulnerabilities occur when XML processors evaluate external entity references:

Apache configuration for XXE prevention:

# Disable XML external entities
<Location /xml-upload>
    # Force content type validation
    <If "%{CONTENT_TYPE} !~ m#^application/xml#">
        Require all denied
    </If>
    
    # ModSecurity rules for XXE prevention
    SecRule REQUEST_HEADERS:Content-Type "^application/xml" \
        "id:2001,\
        phase:1,\
        t:lowercase,\
        chain"
    SecRule REQUEST_BODY "@rx <!ENTITY.*?SYSTEM.*?>" \
        "block,\
        msg:'XXE Attack Detected',\
        severity:CRITICAL"
    
    # Additional XXE patterns
    SecRule REQUEST_BODY "@rx <!DOCTYPE[^>]*>(\s|\S)*<!ENTITY" \
        "id:2002,\
        phase:2,\
        block,\
        msg:'Possible XXE Attack',\
        severity:CRITICAL"
</Location>