XXE via File upload

Some application allow users to upload files which are processed server side Some common file formats use XML or contain XML subcomponents.

Examples of XML based formats are office document formats like .docx and image formats like .svg.

  • If an application allows users to upload images and process or validate these on the server after they are uploaded

  • If the application expects to receive a format like .png or .jpeg, then the image processing lib is likely to accept .svg too

Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.

First check, the client/server validation by uploading a normal .png or .jpeg file

Usually returns an error saying, the avatar is too large.

Now intercept that request and try changing the png fromat to an XML svg format

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY [xxe](https://portswigger.net/web-security/xxe) SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

The above payload returns us the hostname, using the XInclude namespace reference.

The application verifies the above payload as a SVG image and then gives us a 200

XXE via Modified Content-Type

Most of the POST requests have a default Content-Type that is generated by HTML forms, such as

  • application/x-www-form-urlencoded

So here an Attacker can tamper, the Content-Type to an XML format.

POST /action HTTP/1.0 
Content-Type: text/xml 
Content-Length: 52 
<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>

If the application allows the content-type which is configured by the server's backend MIME type then an attacker can :

  • Find the hidden XXE attack surface simply by reformatting requests to use the XML format

PreviousXXE to SSRFNextXInclude Attacks

Last updated