Detect XXE Attacks from Text Input in PHP

XML External Entity (XXE) attacks are becoming a frequent occurrence and being exposed to one can cause significant damage to both company and user information. However, avoiding these threats is made easy by using the following API in PHP to detect XXE attacks from text input; beyond the primary purpose, you also have the option to allow/block internet-based dependency URLs (blocking recommended), and create lists for known safe/unsafe URLs.

Our first step is to install the PHP API client:

composer require cloudmersive/cloudmersive_validate_api_client

Post-installation, we are ready to call the function with the following code:

<?php
require_once(__DIR__ . '/vendor/autoload.php');
// Configure API key authorization: Apikey
$config = Swagger\Client\Configuration::getDefaultConfiguration()->setApiKey('Apikey', 'YOUR_API_KEY');
$apiInstance = new Swagger\Client\Api\TextInputApi(
    
    
    new GuzzleHttp\Client(),
    $config
);
$value = "value_example"; // string | User-facing text input.
$allow_internet_urls = true; // bool | Optional: Set to true to allow Internet-based dependency URLs for DTDs and other XML External Entitites, set to false to block.  Default is false.
$known_safe_urls = "known_safe_urls_example"; // string | Optional: Comma separated list of fully-qualified URLs that will automatically be considered safe.
$known_unsafe_urls = "known_unsafe_urls_example"; // string | Optional: Comma separated list of fully-qualified URLs that will automatically be considered unsafe.
try {
    $result = $apiInstance->textInputCheckXxe($value, $allow_internet_urls, $known_safe_urls, $known_unsafe_urls);
    print_r($result);
} catch (Exception $e) {
    echo 'Exception when calling TextInputApi->textInputCheckXxe: ', $e->getMessage(), PHP_EOL;
}
?>

To retrieve your personal API key, head to the Cloudmersive website to register for a free account and gain access to 800 calls/month across our multitude of APIs.