Finding and Exploiting XXE – XML External Entities Injection

In this article, we will have an in-depth look at how to find and exploit XML External Entity Injection vulnerabilities.


XXE (XML External Entity) as the name suggests, is a type of attack relevant to the applications parsing XML data. As per the XML standard specification, an entity can be considered as a type of storage. In programming terms, we can consider an entity as a variable which holds some value. There are two types of entities in XML specification:

Internal Entity:

As per the XML standard, Internal Entity is an entity whose value is defined as a string literal. For example, an entity which is just pointing to a string value can be referred as an Internal Entity. It can be defined as follows:

<!ENTITY internal
“Internal Entity”>

internal = Name of variable

“Internal Entity” = String literal

External Entity:

If the entity is not an Internal Entity, it is an External Entity. External entity can be defined as follows:

<!ENTITY external
SYSTEM|PUBLIC
“http://www.example.com/test.xml”>

An external entity declaration includes as SystemLiteral (SYSTEM) called an entity’s system identifier. When an XML processor parses an entity with SystemLiteral, it resolves the URI reference (http://www.example.com/test.xml) to obtain the input for XML processor to assign a value to “external” variable or any other references defined in XML data. We will discuss this in more details in OOB (Out of Band) XXE exploitation section.

Based on how the entity is declared an entity can further be divided into two types General and Parameterized entity.

General Entity

General entities are the ones which can be referenced with ‘&‘ ampersand sign. The declaration is as follows:

<xml version=”1.0″>

<!DOCTYPE html[

    <!ELEMENT bar>

    <!ENTITY (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Sahil Dhar. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/TmNOXgVkDWk/