Upon receiving user-supplied requests, application servers parse the provided data and process it to perform some action. We must instead entice the application server to 'send us' the response. Blind XXE - Attacks that process an entity, but do not include the results within the output.XXE attacks that include output within the server's response.There are two primary types of XML injection: The result of the entity 'xxe' (which includes the results of /etc/passwd) is included within the application's failed login response. The identifier references the local file "/etc/passwd" which discloses all users of the machine. The way it works is simple, a SYSTEM identifier is declared. External entities are valuable to attackers because they can access local or remote content via declared system identifiers, which are a more critical attack on the web application. There are different types of entities, but the one we're focusing on is externally referenced. The standard defines a concept referred to as an entity, which is a storage unit of some type. XML 1.0 standard defines the structure of an XML document. Besides, it was possible to conduct DoS attacks, brute force the content of a parsed entity, read files via a Document Type Declaration (DTD), which, if error output was enabled, allowed displaying the content of the read file. So far, the third type of entities has been most frequently attacked (except for DoS): using various files of a file system as a source of an external entity, it was possible (not always) to read files of the file system via data output in XML or error output. XML specification describes several types of so-called entities (we know many of them: entities are usually used for conducting attacks on XML, named XML eXternal Entity, XXE): This is helpful when the entity value is used multiple times. The DTD provides a mechanism for defining entities whose values can be substituted into the XML document contents. The standard allows for defining the structure of the XML using a Document Type Declaration, or DTD. XML was designed to be self-descriptiveĮxtensible Markup Language (XML) is a feature rich and widely used information exchange format and standard.XML was designed to store and transport data.XML is a markup language similar to HTML.XML STANDS FOR eXtensible Markup Language To best explain and demonstrate the exploitation of XXE, we must first start with the basics of XML. This vulnerability is an important one to understand because it exists by default for many popular XML parsers. OWASP Top Ten standards also added the XXL as one of the critical vulnerabilities lists. But XXE is also a major critical bug that helps the attacker gain access to the server itself. So far, major vulnerabilities like SQL injection and Command injection have been playing a major role on the web application attacks. An XXE attack helped the hackers to gain read-only access on Google’s production servers itself. For example, this vulnerability can be used to read arbitrary files from the server, including sensitive files, such as the application configuration files. One such vulnerability that has been around for many years is XML external entity injection or XXE. In the recent year, major tech giants, like Google, Facebook, Magento, Shopify, Uber, Twitter, and Microsoft, have undergone XML External Entity attacks on their major applications.