External XML Entity

References

• Advice From a Bug Hunter XXE - Bugcrowd
• XXE that can Bypass WAF Protection

Tools / Payloads

• PayloadsAllTheThings - SSRF Injection

Tools / Payloads

XXE Payloads

Examples

• [2020] - XXE through injection of a payload in the XMP metadata of a JPEG file
• [2019] - XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx
• [2018] - XXE in Site Audit function exposing file and directory contents
• [2018] - Gaining Filesystem Access via Blind OOB XXE
• [2018] - Blind XXE via Powerpoint files
• [2018] - Phone Call to XXE via Interactive Voice Response
• [2018] - LFI and SSRF via XXE in Emblem Editor in Rockstar Games
• [2018] - Blind XXE in Autodiscover Parser
• [2018] - From blind XXE to root-level file read access
• [2018] - Out-of-band XXE in PrizmDoc (CVE-2018–15805)
• [2018] - Blind XML External Entities Out-Of-Band Channel Vulnerability : PayPal Case Study
• [2017] - XXE on sms-be-vip.twitter.com in SXMP Processor
• [2017] - XXE in Uber to read local files
• [2017] - GSA File Server - ASIS CTF Finals 2017
• [2016] - http://nerdint.blogspot.com/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html
• [2014] - Detecting and Exploiting XXE in SAML
• [2014] - How we got read access on Google’s production servers