XXE (XML External Entity)

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.

XML to LFI

<!DOCTYPE replace [<!ENTITY name SYSTEM 'file:///etc/passwd'> ]>
 <userInfo>
  <firstName>falcon</firstName>
  <lastName>&name;</lastName>
 </userInfo>

PreviousUnsecure JSON Web Token (JWT)NextLFI / RFI (Local / Remote File Inclusion)

Last updated 3 years ago