search
githubEdit

XML external entity (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

-- Wikipediaarrow-up-right

Generally, XXE vulnerabilities arise when resolution of external entities and/or XInclude is enabled in the app/xml parser.

hashtag
Retrieve files

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE file [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<some><xml>&xxe;</xml></some>

hashtag
SSRF

<!DOCTYPE request [ <!ENTITY xxe SYSTEM "http://internal.website.com"> ]>

hashtag
XInclude

You may be able to use XInlcude when you don't have control over the DOCTYPE element, e.g. in SOAP requests.

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

hashtag
File uploads

Sometimes XML based files like SVG or DOCX can be uploaded and are then processed by the app.

E.g. XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]arrow-up-right

hashtag
Blind XXE

You can use out-of-band (OAST) to detect blind XXE vulnerabilities (e.g. using Burp Collaborator).

Via parameter entities:

hashtag
Exfiltrate data

Create a malicious.dtd file, hosted on attacker controlled system:

XXE payload on target:

hashtag
Retrieve data via error message

Create a malicious.dtd file, hosted on attacker controlled system:

XXE payload on target:

hashtag
Modified content type

Some apps accept text/xml as content type of POST requests instead of e.g. application/x-www-form-urlencoded. If so, malicious XML can be send to and will be proccessed by the app and my be exploitable that way.

PreviousCross site request forgery (CSRF)NextCross origin resource sharing (CORS)

Last updated