February 14, 2019

OWASP XML External Entiy (XXE) attack

XXE or XML External Entity refers to an attack, where an attacker is able to do DOS (Denial of Service) and also gain access to the local files by abusing XML parser.

In general, we found XML in every aspect like web services, documents, databases, etc. So if XML is there, then the XML parser will also be available. Let’s take an example of a simple XML web request, which will be parsed by the web server and display the output.



The Cybersploit



HTTP/1.0 200 OK

The Cybersploit

XML documents use a set of markup declaration to specify the document type in order to validate the document before getting parsed. There are two ways available to do validation, either using XSD (XML Schema Definition) or Data Type Definition (DTD).

Here we will focus on DTD (Data Type Definition) because the vulnerability exists in DTD only. The following example of a Data Type Definition will explain how it works. Here DTD element test is having an entity called name, which is having value “World”. So that when the &name; entity will be used in XML document the parser will replace with the entity value with “world”.


<!DOCTYPE test [


<!ENTITY name “World”>



Hello &name;



HTTP/1.0 200 OK

Hello World

Based on the above example if the XML parser is allowed to parse the external entities an attacker can easily pass any local file system as an entity and the parser will display the content of the file as output. Let’s do it practically.

Mutillidae: OWASP 2017 > A4: XML External Entities > XML External Entity Injection > XML Validator

The following web page is used for reading the XML file content using the XML parser from the server side.

After clicked on the Validate XML button we got the below-parsed output.

It is clear that the XML parser is working perfectly. So let’s try to abuse the parser and try to read the robots.txt file from the web server.


<?xml version="1.0"?>

 <!DOCTYPE change [

<!ENTITY systementity SYSTEM "robots.txt">



<change> <text>&systementity;</text>; </change>


From the above screenshot, it can be seen finally the parser has successfully read the file from the server and display it as a response.

In this lesson, we have learned about The XXE attack. I hope you liked my blog, and if you need anything further on this please write down in the comment section I will be happy to help you. Happy Hacking!

Reference : https://www.acunetix.com


Post a Comment