<
and >
represent the characters <
and >
. These are metacharacters used to denote XML tags, and so must generally be represented using their entities when they appear within data.DOCTYPE
element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an "internal DTD") or can be loaded from elsewhere (known as an "external DTD") or can be hybrid of the two.<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>
&myentity;
within the XML document will be replaced with the defined value: "my entity value
".SYSTEM
keyword and must specify a URL from which the value of the entity should be loaded. For example:<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com" > ]>
file://
protocol, and so external entities can be loaded from file. For example:<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>
DOCTYPE
element that defines an external entity containing the path to the file./etc/passwd
file by submitting the following XXE payload:DOCTYPE
element. However, you might be able to use XInclude
instead. XInclude
is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude
attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.XInclude
attack, you need to reference the XInclude
namespace and provide the path to the file that you wish to include. For example:application/x-www-form-urlencoded
. Some web sites expect to receive requests in this format but will tolerate other content types, including XML.XInclude
. This can usually be done via configuration options or by programmatically overriding default behavior. Consult the documentation for your XML parsing library or API for details about how to disable unnecessary capabilities.