XML external entity attacks (XXEs)ΒΆ

XML external entity attacks (XXEs) are fascinating vulnerabilities that target the XML parsers of an application.
XXE is less common (~10-15% of apps) but extremely dangerous when present. You can find it in legacy APIs (SOAP, XML-RPC), PDF generators, Office docs (e.g., SVG/XML parsing), and misconfigured cloud services (AWS S3, Azure Blob).
Testing for it is worth it for systems processing XML (e.g., finance, healthcare) because it can lead to SSRF, RCE, or data leaks (e.g., /etc/passwd).
Test in XML-heavy apps (APIs, file processors), but skip if no XML is used:
- Exploiting XXE using external entities to retrieve files
- Exploiting XXE to perform SSRF attacks
- Blind XXE with out-of-band interaction
- Blind XXE with out-of-band interaction via XML parameter entities
- Exploiting blind XXE to exfiltrate data using a malicious external DTD
- Exploiting blind XXE to retrieve data via error messages
- Exploiting XInclude to retrieve files
- Exploiting XXE via image file upload
- Exploiting XXE to retrieve data by repurposing a local DTD
Last update:
2025-05-19 17:27