Xml External Entities in Actix with Basic Auth

Xml External Entity (XXE) injection is a web security issue that occurs when an XML parser processes external entity references in a way that can disclose local files, trigger SSRF, or amplify denial-of-service impact. When you combine an Actix-based HTTP API with XML input processing and Basic Authentication, the attack surface can expand in ways that make detection harder and remediation more nuanced.

Actix-web is a Rust framework for building HTTP services. If your Actix service exposes an unauthenticated or weakly authenticated XML endpoint (for example, an XML upload or SOAP-style endpoint) and uses an XML parser that resolves external entities, an attacker can leverage XXE even when Basic Auth is present. Basic Auth typically protects the endpoint at the HTTP layer, but it does not change how the XML parser behaves once the request is authorized. This means an authenticated request can still carry malicious XML that reads files such as /etc/passwd or triggers SSRF against internal metadata services.

The combination is risky because developers may assume that Basic Auth is sufficient to secure the XML processing path. However, authentication and input validation are separate controls. An attacker who obtains or guesses a valid username and password can craft an XML body with external entity definitions and parameter entities to probe internal networks or exfiltrate data. Moreover, because Actix services often run behind reverse proxies or load balancers, the presence of Basic Auth might be inherited from upstream headers, giving a false sense of coverage while the XML parser remains vulnerable.

During a black-box scan, checks that test for XML External Entity injection will send crafted XML payloads through authenticated channels to verify whether the parser resolves external references. These tests validate that entity expansion is disabled and that external DTDs are not fetched. Without proper parser hardening, an XML payload like &xxe SYSTEM "file:///etc/passwd" can be used to trigger file disclosure if the server is misconfigured to resolve entities.

MiddlewareBrick’s approach to this scenario is to test the unauthenticated attack surface first, then follow up with authenticated probes when credentials are supplied. For endpoints that require Basic Auth, the scanner will include the Authorization header in its XML injection payloads to confirm whether authentication bypass or misconfiguration allows entity resolution. This helps identify whether the presence of Basic Auth is truly protective or merely obscuring an underlying XML parsing risk.

Remediation guidance centers on disabling external entity resolution in your XML parser and ensuring that authentication is not the only security control. You should configure your Actix XML handling to disallow DOCTYPE declarations and external entities, and treat Basic Auth as a boundary control rather than a fix for insecure parsing. Regular scanning with a tool that covers OWASP API Top 10 categories, including XXE, helps surface regressions early.

Securing an Actix service that uses Basic Auth while also preventing XML External Entity injection involves both configuration and code changes. Below are concrete, realistic examples that show how to implement secure authentication and harden XML parsing.

First, ensure that your Actix application validates credentials before processing any request body, including XML. Use middleware or extractor guards to reject unauthorized requests early, which reduces unnecessary parsing of potentially malicious payloads.

use actix_web::{web, App, HttpResponse, HttpServer, middleware::Logger};
use actix_web::http::header::HeaderValue;
use actix_web::dev::ServiceRequest;
use actix_web::error::ErrorUnauthorized;
use std::sync::Arc;

async fn validate_basic_auth(req: ServiceRequest) -> Result {
    const VALID_USER: &str = "admin";
    const VALID_PASS: &str = "s3cur3P@ss!";

    if let Some(auth_header) = req.headers().get("Authorization") {
        if let Ok(auth_str) = auth_header.to_str() {
            if auth_str.starts_with("Basic ") {
                let encoded = &auth_str[6..];
                // In production, use a proper decoding and constant-time comparison
                let decoded = base64::decode(encoded).map_err(|_| ErrorUnauthorized("Invalid auth"))?;
                let creds = String::from_utf8(decoded).map_err(|_| ErrorUnauthorized("Invalid auth"))?;
                let parts: Vec<&str> = creds.splitn(2, ':').collect();
                if parts.len() == 2 && parts[0] == VALID_USER && parts[1] == VALID_PASS {
                    return Ok(req);
                }
            }
        }
    }
    Err(ErrorUnauthorized("Missing or invalid credentials"))
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .wrap(Logger::default())
            .route("/secure/xml", web::post().to(secure_xml_endpoint))
            .default_service(web::route().to(|| async { HttpResponse::Unauthorized().finish() }))
    })
    .bind("127.0.0.1:8080")?
    .run()
    .await
}

async fn secure_xml_endpoint(body: String) -> HttpResponse {
    // At this point, authentication has already been validated by middleware or an extractor
    // Do not enable external entity resolution here
    HttpResponse::Ok().body("Received securely")
}

Second, harden your XML parser to prevent XXE. If you are using an XML crate that supports disabling external entities, configure it accordingly. For example, using the xml-rs crate, you can disable DTD processing entirely:

use xml::reader::{EventReader, XmlEvent};
use std::io::Cursor;

fn parse_xml_safely(input: &str) -> Result<(), String> {
    let cursor = Cursor::new(input);
    let parser = EventReader::new(cursor);
    for event in parser {
        match event {
            Ok(XmlEvent::StartElement { name, .. }) => {
                // Process elements safely; no external DTD resolution
            }
            Ok(XmlEvent::EndElement { .. }) => {}
            Err(e) => return Err(format!("XML error: {}", e)),
            _ => {}
        }
    }
    Ok(())
}

// Example usage: ensure no DOCTYPE or external entities are present
let safe_input = r#"&lt;data&gt;test&lt;/data&gt;"#;
parse_xml_safely(safe_input).expect("Safe parse");

Third, combine these practices with scanning and monitoring. Use MiddleBrick’s CLI to scan your Actix endpoints regularly, especially if you expose XML processing routes. The CLI can be integrated into scripts to verify that authentication is required and that XML parsing does not inadvertently resolve external entities. For teams that need continuous oversight, the Pro plan’s continuous monitoring and CI/CD integration can help catch regressions before they reach production.

By enforcing strong authentication flows and disabling external entity resolution at the parser level, you reduce the risk that an authenticated XML endpoint becomes an avenue for file disclosure or SSRF. Remember that security relies on layered controls, and Basic Auth should be one component of a broader strategy that includes secure parsing and regular automated checks.