Questions tagged [xxe]
XXE, or XML External Entity, is part of the XML spec that can introduce a vulnerability in poorly crafted XML parsers.
40
questions
0
votes
0
answers
77
views
I'm not sure why the different XXE injection payloads follow a specific pattern
I'm quite new to XXE attacks so please bear with me, when I look at the different payloads to get a OOB XXE they all look like the following (external DTD) :
<!ENTITY % file SYSTEM "file:///...
1
vote
0
answers
318
views
XXE OOB File Content Extraction
Currently, I've discovered an OOB XXE that allows me to include a .dtd file to extract a particular system file content, for instance, /sys/power/disk.
So my file.dtd is:
<!ENTITY % data SYSTEM &...
1
vote
0
answers
167
views
How can I manipulate certain server side responses? Specifically Ajax Responses? XXE Attack? Hybrid DNS Resolution?
I would like to be able to switch back and forth between the real DNS and maybe setting a local DNS entry so I can manipulate AJAX responses for code security checks.
For instance if the server ...
1
vote
0
answers
360
views
Extracting multiple lines out of band XXE [closed]
I was able to extract a line from the /etc/hostname file and also http://169.254.169.254/latest/meta-data/local-hostname but I want to extract the content of files with multiple line, such as the aws ...
0
votes
0
answers
3k
views
XXE in SOAP request when WS requires WS-Security
I am trying to test XXE and SSRF in SOAP webservice. Let say that my request looks like this:
<?xml version="1.0"?>
<!DOCTYPE order [
<!ELEMENT foo ANY >
<!ENTITY xxe ...
1
vote
2
answers
213
views
Is possible XXE with XSI modify?
I wonder, is possible XXE attack in this case?
The data of request is starting with:
<InteractionMessage><Header><SenderApplication>VIP3.0</SenderApplication><...
1
vote
2
answers
699
views
Java XXE vulnerability
If I am already using
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
then do I also need to use
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities",...
1
vote
1
answer
989
views
Blind XXE - Exfiltration Data via OOB
My lab
Kali Linux:192.168.171.134
bWApp Server: http://192.168.171.131
I want to do an exfiltration data via HTTP on this Blind XXE.
I'll use the Portswigger Payload.
This is the External.DTD:
&...
1
vote
1
answer
320
views
XXE SSRF Practice
I'm trying to implement a simple demo - to better understand XXE and SSRF techniques.
I have written these two files below in an attempt to set this up.
I currently intercept the AJAX POST request and ...
1
vote
1
answer
1k
views
XXE with OOB data exfiltration
SCENARIO:
I successfully tried to send a request to the burp collaborator, then the application is vulnerable to SSRF through blind XXE. The payload I used is the following
<?xml version="1.0&...
2
votes
1
answer
1k
views
PHP Blind XXE Exploitation: Invalid URI in Entity
When attempting to exploit blind XXE as explained in this article, I got an error in my apache logs:
PHP Warning: DOMDocument::loadXML(): Invalid URI: http://192.168.6.1/82a3ccab632c in Entity
The ...
1
vote
0
answers
163
views
Prevent XXE attack by preprocessing XML
I have an old project which parses XML files coming from an external origin, so it is at least in principle vulnerable to XXE.
It is difficult to update the project to use newer versions of XML ...
2
votes
1
answer
10k
views
XXE - possible to read directories?
I have come across XXE on a CTF a while ago and I can't get my head around where to go from where I am.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php:...
0
votes
2
answers
1k
views
XXE Injection in docx: entity not defined
My goal is to create a docx file that, when uploaded to a server and parsed there, causes the parser to fetch my url so I know it worked.
Unfortunately, I only have Libre Office and not MS Office at ...
0
votes
2
answers
902
views
Deciding CVSS v3.1 scope parameter for a XXE vulnerability
I have a web application which is vulnerable to XXE attack. The impact of this vulnerability is, it can do a port scan by sending a malicious XML that does a request to a specific host+port in the ...