XML External Entity (XXE) injection exploits XML parsers that process references to external entities. A classic vulnerability in XML-consuming applications β SOAP services, document upload features, SAML, configuration parsers. Can lead to file disclosure, SSRF, DoS, and RCE.
How XXE works
XML supports external entities β references to external resources. When a parser fetches the referenced content and substitutes it into the document, attacker-controlled references can point at sensitive local files or internal URLs.
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>Parser sees &xxe;, expands it to contents of /etc/passwd. If the parsed content is echoed back (e.g. in an API response), attacker receives the file.
Continue reading with Pro tier (βΉ4,999/year)
You've read 33% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.