XXE
CWE-611: Improper Restriction of XML External Entity Reference
Last updated
CWE-611: Improper Restriction of XML External Entity Reference
Last updated
XML External Entity (XXE) is a type of vulnerability that occurs when an application processes user-supplied XML data without properly validating it. In XML, the term Entity refers to a storage unit of data, which can be internal (within the XML document) or external (an external file or URL). An attacker can exploit XXE to:
Read arbitrary files on the server (e.g., /etc/passwd).
Make requests to internal systems (Server-Side Request Forgery, SSRF).
Cause denial of service (DoS) by using large external entities.
Exfiltrate data by sending sensitive information to an external entity controlled by the attacker.
There are various types of XXE attacks:
Methodology whitechaitai
Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files.
If svg allowed in picture upload , you can inject xml in svgs.
If the web app offers RSS feeds , add your milicious code into the RSS.
Fuzz for /soap api , some applications still running soap apis
If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
LFI Test
Blind LFI test (when first case doesn't return anything)
Access Control bypass (loading restricted resources - PHP example)
SSRF Test
XEE (XML Entity Expansion - DOS)
XEE #2 (Remote attack - through external xml inclusion)
XXE FTP HTTP Server
https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
XXE UTF-7
To convert between UTF-8 & UTF-7 use recode. recode UTF8..UTF7 payload-file.xml
If a web application is filtering or blocking the word "ENTITY" to prevent XXE attacks, there are several bypass techniques you can try:
1. Case Manipulation:
Some filters are case-sensitive and may only block the exact string ENTITY in uppercase. You can try different cases, such as:
Test variations like:
<!entity>
<!EnTiTy>
2. Use Parameter Entities:
Instead of defining an external entity directly, you can use parameter entities (which start with %) to indirectly reference the malicious entity:
The malicious .dtd file hosted on attacker.com could contain the payload for reading a file.
3. Hex Encoding:
Sometimes, filters may miss encoded characters. You can try encoding the word ENTITY using its hexadecimal or decimal representation in XML:
This encodes "ENTITY" in decimal (69 for 'E', 78 for 'N', etc.). In hex, it would be <!ENTITY xxe SYSTEM "file:///etc/passwd">.
4. Using DTD Chaining:
If you have control over external DTDs, you can chain DTDs to bypass filters. This involves referencing a remote DTD file hosted by the attacker:
The external DTD file (external.dtd) can define the malicious entity, bypassing local filters.
5. XML Comments:
Sometimes filters miss entities hidden inside XML comments. You can obfuscate the payload by breaking the word ENTITY into parts:
6. Base64 Encoding:
You might be able to encode the payload and then decode it at runtime. Some parsers allow you to inject base64-encoded external entities and decode them:
This base64 string decodes to /etc/passwd.
7. Alternative External Sources (e.g., SYSTEM or PUBLIC):
Instead of using ENTITY, try to reference external files or URLs using alternative methods. For example:
Here, the external DTD contains the payload, and you avoid using the ENTITY keyword.
From a defensive perspective, to mitigate XXE attacks:
Disable external entity processing in XML parsers where it's not needed.
Use whitelisting for acceptable file or URL references in XML files.
Implement input validation to ensure only valid, trusted XML is processed.
Ensure your application is updated to use parsers that are not vulnerable to XXE by default.
👉 XML External Entity (XXE) Processing
👉 XML External Entity Prevention Cheat Sheet
👉 Testing for XML Injection (OTG-INPVAL-008)
XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 308 upvotes, $4000
XXE on pulse.mail.ru to Mail.ru - 263 upvotes, $6000
XXE on sms-be-vip.twitter.com in SXMP Processor to Twitter - 250 upvotes, $10080
XXE on https://duckduckgo.com to DuckDuckGo - 209 upvotes, $0
Phone Call to XXE via Interactive Voice Response to ██████ - 170 upvotes, $0
Partial bypass of #483774 with Blind XXE on https://duckduckgo.com to DuckDuckGo - 151 upvotes, $0
Multiple endpoints are vulnerable to XML External Entity injection (XXE) to Pornhub - 136 upvotes, $2500
XXE through injection of a payload in the XMP metadata of a JPEG file to Informatica - 128 upvotes, $0
XXE Injection through SVG image upload leads to SSRF to Zivver - 111 upvotes, $0
XXE in Site Audit function exposing file and directory contents to Semrush - 99 upvotes, $2000
[RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com to Pornhub - 89 upvotes, $10000
XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 89 upvotes, $0
Blind XXE via Powerpoint files to Open-Xchange - 86 upvotes, $2000
blind XXE in autodiscover parser to Mail.ru - 70 upvotes, $5000
LFI and SSRF via XXE in emblem editor to Rockstar Games - 68 upvotes, $1500
Blind OOB XXE At "http://ubermovement.com/" to Uber - 55 upvotes, $500
XXE на webdav.mail.ru - PROPFIND/PROPPATCH to Mail.ru - 54 upvotes, $10000
XXE on ██████████ by bypassing WAF ████ to QIWI - 53 upvotes, $5000
[rev-app.informatica.com] - XXE to Informatica - 44 upvotes, $0
RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 43 upvotes, $0
XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 39 upvotes, $3137
Authenticated XXE to WordPress - 39 upvotes, $600
XML Parser Bug: XXE over which leads to RCE to drchrono - 32 upvotes, $700
XXE on DoD web server to U.S. Dept Of Defense - 31 upvotes, $0
Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 to Starbucks - 28 upvotes, $500
[app.informaticaondemand.com] XXE to Informatica - 24 upvotes, $0
Blind XXE on my.mail.ru to Mail.ru - 23 upvotes, $800
Non-production Open Database In Combination With XXE Leads To SSRF to Evernote - 23 upvotes, $0
XXE in upload file feature to Informatica - 21 upvotes, $0
| XXE Attack Type | Description |
|---|---|
Exploiting XXE to Retrieve Files
Where an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to Perform SSRF Attacks
Where an external entity is defined based on a URL to a back-end system.
Exploiting Blind XXE Exfiltrate Data Out-of-Band
Where sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to Retrieve Data Via Error Messages
Where the attacker can trigger a parsing error message containing sensitive data.
