Some web applications handle data and rely on the XML format to exchange data with the browsers.
XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.
Testers need to find input vectors and forms that send XML formatted data to the application.
For instance, in the following request, the user submitted a search form with the input "TESTINPUT".
POST /action HTTP/1.1
The tester can detect if the XML parser parses the external entities by defining one inside a
DOCTYPEelement, and checking if the value in the
fromelement gets replaced (the value will be replaced in the reflected messages sent by the application like error messages, search results).
<!DOCTYPE xxeinjection [ <!ENTITY newfrom "VULNERABLE"> ]>
A vulnerable application should replace the value by "VULNERABLE". The tester can then try to disclose local files by replacing the
fromvalue with the content of a sensitive file (e.g.
<!DOCTYPE xxeinjection [ <!ENTITY newfrom SYSTEM "file:///etc/passwd"> ]>