What is XXE vulnerability?

Before jumping into the XXE attack , We should know the basics of what is XML and the usage of XML.

What is XML used for?

There are some similar points between HTML and XML such as tag use but the main difference between them is the purpose of usage.

HTML is used for the representation of the data, XML be able used to store and transfer data.

Definition of XML(XML prolog)

That is a XML prolog .

We do not need to use XML prolog every time while using XML but it is a good practice.


[ ->

<!ENTITY person “test””> -> Entities could use to declaration of a variable in XML. We could think of it as a global variable in a programming language.

<!ENTITY person SYSTEM “secret.txt” -> SYSTEM word could be used to access the external resource in the filesystem. Which is a vulnerable feature of ENTITY in XML.



<name>&person;<name> ->Web page shows us the content of secret.txt. Otherwise we just saw the test word in the screen.


What is XML external entity injection?

The feature of ENTITY allows accessing external resources such as system files or any other vulnerable site. If Web services use XML to data transfer between the client and itself. Then want to show that data on a web page. You could check that input on a web page.

Exploiting XXE to retrieve Files

Retrieve Passwd File

After submitting a post request, we could cut that request by using a burp suite then send a repeater to further investigation.

There is a variable in the request which is called “xxe” and That is a variable we need to check whether XXE occurs or not.

Modify a variable with,

“<!DOCTYPE test [<!ENTITY person SYSTEM “file:///etc/passwd>]>”, then send again.

oh! It gave us a chance to view of system file which actually we do not have permission to view.

After viewing the filesystem that is /etc/passwd, we could view user information that is able to log into the system. One of the names is a falcon.

After that, We could try to view a falcon private key in a filesystem which is /home/falcon/.ssh/id_rsa.

Falcon’s Private Key File

Let’s copy that private key that has been in the path which is /home/falcon/.ssh/id_rsa, then paste that private key into any file in your own system. After pasting that private file into our own system, we try to access the ssh connection with that private key. Below is a command to access via ssh,

ssh -i private_key.txt falcon@TARGET_IP_ADDRESS;

Access Web Server via SSH

Look that, we could access via ssh with an interactive shell.

Exploiting XXE to perform SSRF attack


XXE vulnerability can be used to access an external resource with the feature of ENTITY.

For instance,

<!ENTITY person SYSTEM “localhost:3306” >

<!ENTITY person SYSTEM “http://vulnerable.com” >

Mitigation of XXE attack

Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.



Thanks for reading.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store