>represent the characters
>. These are metacharacters used to denote XML tags, and so must generally be represented using their entities when they appear within data.
DOCTYPEelement at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an "internal DTD") or can be loaded from elsewhere (known as an "external DTD") or can be hybrid of the two.
<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>
&myentity;within the XML document will be replaced with the defined value: "
my entity value".
SYSTEMkeyword and must specify a URL from which the value of the entity should be loaded. For example:
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com" > ]>
file://protocol, and so external entities can be loaded from file. For example:
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>
DOCTYPEelement that defines an external entity containing the path to the file.
/etc/passwdfile by submitting the following XXE payload:
DOCTYPEelement. However, you might be able to use
XIncludeis a part of the XML specification that allows an XML document to be built from sub-documents. You can place an
XIncludeattack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
XIncludeattack, you need to reference the
XIncludenamespace and provide the path to the file that you wish to include. For example:
application/x-www-form-urlencoded. Some web sites expect to receive requests in this format but will tolerate other content types, including XML.
XInclude. This can usually be done via configuration options or by programmatically overriding default behavior. Consult the documentation for your XML parsing library or API for details about how to disable unnecessary capabilities.