Lately I've seen so many attacks of this type, so I wanted to ask what is the proper way to defend against XML External Entity (XXE) Processing vulnerability. For example what if I parse some simple xml in my app, how can I make it stronger so this attack or billion laughs doesn't work. Attack :
Also protection against these types of attacks http://josipfranjkovic.blogspot.com/2014/12/reading-local-files-from-facebooks.html ?
Have you done any research into this already? At the highest level, it is a matter of filtering and validating input and to not permit suspicious input (blacklist) or better yet set of processing rules that whitelists what you want. If the XML is not being built programmatically, you can just scan for any external references and create rules to handle/validate or just deny the file. Depending on your processing library, there may be some built in tools or options to address this.
Best place to start is probably at OWASP:
The following paper also goes into some more details in these types of attacks: XML Schema, DTD, and Entity Attacks
