XXE via File upload
Some application allow users to upload files which are processed server side Some common file formats use XML
or contain XML subcomponents
.
Examples of XML based formats are office document formats like .docx
and image formats like .svg
.
If an application allows users to upload images and process or validate these on the server after they are uploaded
If the application expects to receive a format like
.png
or.jpeg
, then the image processing lib is likely to accept.svg
too
Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.

First check, the client/server validation by uploading a normal .png or .jpeg file
Usually returns an error saying, the avatar is too large
.
Now intercept that request and try changing the png fromat to an XML svg format
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY [xxe](https://portswigger.net/web-security/xxe) SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
The above payload returns us the hostname
, using the XInclude namespace reference.
The application verifies the above payload as a SVG image and then gives us a 200
XXE via Modified Content-Type
Most of the POST requests have a default Content-Type
that is generated by HTML forms, such as
application/x-www-form-urlencoded
So here an Attacker can tamper, the Content-Type to an XML format.
POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52
<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
If the application allows the content-type which is configured by the server's backend MIME type then an attacker can :
Find the hidden XXE attack surface simply by reformatting requests to use the XML format
Last updated