What is XML Vulnerability?

XML Vulnerability

An XML External Entity (XXE) vulnerability involves exploiting how an application parses XML input, more specifically, exploiting how the application processes the inclusion of external entities included in the input. To gain a full appreciation for how this is exploited and its potential, I think it’s best for us to first understand what the eXtensible Markup Language (XML) and external entities are.

Also Read :- CSRF, XSS

A metalanguage is a language used for describing other languages, and that’s what XML is. It was developed after HTML in part, as a response to the shortcomings of HTML, which is used to define the display of data, focusing on how it should look. In contrast, XML is used to define how data is to be structured.

XML Vulnerability

Injecting XML Entity

XML is used extensively in today’s web applications, both in requests and responses between the browser and front-end application server and in messages between back-end application components such as SOAP services. Both of these locations are susceptible to attacks whereby crafted input is used to interfere with the operation of the application and normally perform some unauthorized action.

In today’s web applications, XML is often used to submit data from the client to the server. The server-side application then acts on this data and may return a response containing XML or data in any other format. This behavior is most commonly found in Ajax-based applications where asynchronous requests are used to communicate in the background. It can also appear in the context of browser extension components and other client-side technologies.

For example, consider a search function that, to provide a seamless user experience, is implemented using Ajax. When a user enters a search term, a client-side script issues the following request to the server:

  • POST /search/128/AjaxSearch.ashx HTTP/1.1
  • Host: mdsec.net
  • Content-Type: text/xml; charset=UTF-8
  • Content-Length: 44
  • <Search><SearchTerm>nothing will change</SearchTerm></Search>

The server’s response is as follows (although vulnerabilities may exist regard- less of the format used in responses):

  • HTTP/1.1 200 OK
  • Content-Type: text/xml; charset=utf-8
  • Content-Length: 81
  • <Search><SearchResult>No results found for expression: nothing will change</SearchResult></Search>

The client-side script processes this response and updates part of the user interface with the results of the search.

When you encounter this type of functionality, you should always check for XML external entity (XXE) injection. This vulnerability arises because standard XML parsing libraries support the use of entity references. These are simply a method of referencing data either inside or outside the XML document. Entity references should be familiar from other contexts. For example, the entities corresponding to the < and > characters are as follows:

Check XML Syntax:- XML Syntax

The XML format allows custom entities to be defi ned within the XML document itself. This is done within the optional DOCTYPE element at the start of the document. For example:

  • <!DOCTYPE foo [ <!ENTITY testref “testrefvalue” > ] >

If a document contains this defi nition, the parser replaces any occurrences of the &testref; entity reference within the document with the defi ned value, testrefvalue .

Furthermore, the XML specifi cation allows entities to be defi ned using external references, the value of which is fetched dynamically by the XML parser. These external entity defi nitions use the URL format and can refer to external web URLs or resources on the local fi lesystem. The XML parser fetches the contents of the specifi ed URL or fi le and uses this as the value of the defined entity. If the application returns in its response any parts of the XML data that use an externally defi ned entity, the contents of the specifi ed fi le or URL are returned in the response.

External entities can be specifi ed within the attacker’s XML-based request by adding a suitable DOCTYPE element to the XML (or by modifying the element if it already exists). An external entity reference is specifi ed using the SYSTEM keyword, and its defi nition is a URL that may use the file: protocol.

In the preceding example, the attacker can submit the following request, which defines an XML external entity that references a fi le on the server’s fi lesystem:

  • POST /search/128/AjaxSearch.ashx HTTP/1.1
  • Host: mdsec.net
  • Content-Type: text/xml; charset=UTF-8
  • Content-Length: 115
  • <!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///windows/win.ini” > ]>
  • <Search><SearchTerm>&xxe;</SearchTerm></Search>

Finally, if the application retrieves the external entity but does not return this in responses, it may still be possible to cause a denial of service by reading a file stream indefinitely. For example:

  • <!DOCTYPE foo [ <!ENTITY xxe SYSTEM ” file:///dev/random”> ]>

How To Test XXE Injection

If users are submitting XML to the server, an external entity injection attack may be possible. If a field is known that is returned to the user, attempt to specify an external entity, as in the following example:

  • POST /search/128/AjaxSearch.ashx HTTP/1.1
  • Host: mdsec.net
  • Content-Type: text/xml; charset=UTF-8
  • Content-Length: 115
  • <!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///windows/win.ini” > ] >
  • <Search><SearchTerm>&xxe;</SearchTerm></Search>

If no known field can be found, specify an external entity of “” and monitor the page response time. If the page takes signifi cantly longer to return or times out, it may be vulnerable.

Checkout Links :- Owasp XML External Entity (XXE)


Read Access To Google Difficulty:- Medium Report Link:- Detectify Blog3 Bounty Paid:- $10,000


XXE represents an interesting attack vector with big potential. There are a few ways it can be accomplished, as we’ve looked at, which include getting a vulnerable application to print it’s /etc/passwd file, calling to a remote server with the /etc/passwd file and calling for a remote DTD file which instructs the parser to callback to a server with the /etc/passwd file.

As a hacker, keep an eye out for file uploads, especially those that take some form of XML, these should always be tested for XXE vulnerabilities.

Also Read To Miss:- Hack Instagram , Hack Android Phone.

Related posts

One Thought to “What is XML Vulnerability?”

  1. You’ve gotten one of the best webpages.

Leave a Comment