Xxe

Over the past quarter I have been helping our platform team refactor a configuration service that several delivery pipelines depend on. During that review I spotted an XML External Entity (XXE) injection vector that could have exposed environment variables and IAM credentials to any engineer with access to the internal UI. This post documents how we found the issue, why the existing pipeline tests missed it, and how we closed the gap without blocking deploy velocity. ...

While partnering with the DevOps group on eliminating XML External Entity (XXE) bugs, I also built a detection playbook to catch real-world exploitation. Internal services often run with elevated permissions, so even a low-volume XXE probe can give an attacker high-impact secrets. Below is the stack we assembled to watch for abuse without drowning the SOC in false positives. Telemetry sources. We forward the reverse proxy logs, application structured logs, Falco alerts, and AWS CloudTrail events into our SIEM. XXE attempts typically include three telltale signs: <!DOCTYPE declarations, outbound calls to the metadata service (169.254.169.254), and errors linked to unexpected entity expansion. Capturing all three lets us correlate attempts to a specific service or user. ...