# XML Injection ## XXE to retrieve files For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server: ```xml 381 ``` The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the `/etc/passwd` file by submitting the following XXE payload: ```xml ]> &xxe; ``` This XXE payload defines an external entity `&xxe;` whose value is the contents of the `/etc/passwd` file and uses the entity within the `productId` value. This causes the application's response to include the contents of the file: ```xml Invalid product ID: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin ... ``` ## XXE to perform SSRF attacks ```xml ]> ``` ## XInclude attacks ```xml ``` ## XXE attacks via modified content type For example, if a normal request contains the following: ```http POST /action HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 7 foo=bar ``` Then you might be able submit the following request, with the same result: ```http POST /action HTTP/1.0 Content-Type: text/xml Content-Length: 52 bar ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/network-services/ports/80-443-http-s/web-vulnerabilities/xml-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.