search

XML External Entity (XXE)

XXE happens where we can inject our XML inputs and those inputs are not being sanitized by XML Parser

hashtag
Basic XXE Payloads

#Simple File read
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>

#php filters
<!DOCTYPE email [<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=connection.php">]>

hashtag
Basic XXE Testing

In the below image i can see that my email is getting reflected back to me, so i will test for XXE in that parameter

now i will test for Basic XXE

hashtag
XXE PHP Filters to Read Source Code

We can now try to read the source code using php filters, i will try to read connection.php file

hashtag
Advanced File Disclosure (XXE CDATA)

if the web app is not build in php then php filters cannot help us, for this we can use CDATA and read any sort of file including binary data as well.

This will not work, because we cannot join internal and external entities in XML like this, so we need to find out another way

so i will host an DTD on my Python server

now this will get the DTD from my python server.

now I can read the files as well.

hashtag
Blind XXE (Out of Band Data Exfiltration)

Sometimes you don't get a response from the website so you need to redirect the response to your own python server

We need to host the xxe.dtd on our python server

PreviousServer Side Request Forgery (SSRF)NextServer Side Template Injection (SSTI)

Last updated