What is XML external entity injection ?

In this article, we are being told about XML external entity injection. You may not have heard about your XML external entity injection before because very little is talked about it.

In such a way, how to find the XML external entity injection bug and what it is, not everyone knows, but we want to tell you here that if you find this bug in a website, you get a good bounty.

Here XML external entity injection is being told for educational purpose, but you should never misuse it in any way, it is a cyber crime.

Note – This article is only for educational purpose. Don’t miss use your knowledge and skills.

What is XXE Injection ?

Before going about XML external entity injection, you should first know about XXE Injection. XML external entity injection itself is called XXE Injection attack.

Here we are telling you using XXE Injection attack image file upload vulnerability but it is not that XXE Injection can be found only by uploading image file, here SSRF attack, this bug is also found through retrieve files.

If we try to understand XML external entity injection in an easy language, then you can say that this bug gives any user access to view the files of the server which are not allowed for any normal user.

In such a way, you can understand the XML external entity injection bug itself, how can hackers remove the information of the server in such a website and how they can also misuse them.

Also Read

local file inclusion vulnerability

Server side Template Injection

How to find XML external entity injection ?

Here we are telling you about the XML external entity injection by using the port swigger website. You can also use the image file upload bug here. This website is open like this in front of you.

XML external entity injection


Here you can see that you get the option to access the lab, you have to click on this option, here you have to first create an account like we normally create an account on a website.

Similarly here you also get the option of solution, we are telling you using this svg format here, here you can see that you have to save this code in svg format.

XML external entity injection

After lab is open, some posts are open in front of you in this way, here you can see any post by opening it, you get the option of comments in all posts, you get the option to choose file.

Missing functional level access control

You can find the XML external entity injection bug in all the websites where you get the option to upload the file like a college website, image websites and many other types of websites.

XML external entity injection

As you can see in the image, we told you a code that we have saved in svg format, we have to upload the same file here in the comment section, in this way you can see.

After uploading the file, your comment gets show as if you can see it in the image here. When you open this image, you get some kind of code show which we have got through the server.

what is open redirect vulnerability practical

XML external entity injection

This can also happen here, you do not always show the code here, in such a way you can also check the code by doing an inspect element, as you can see in the image, here you are thinking what is this code and how has it come.

As you can see here, we had given the code for hostname here, in such a way more payloads can be given here, the payload which is used for cross site scripting attacks can also be given here.

When we can see hostname by submitting it in the solution as you can see in the image, this is the same code that we got through the server after uploading the file.

After submitting your answer here, you can see that you have got the message of congratulations, here you can understand that you have solved your lab xxe via file upload.

what is insecure direct object reference idor

You can use other labs in this way, here everything is also told to you, how can you practice which lab here, this website helps a lot in improving your bug bounty skills.

In such a way, you can understand yourself how you can also use cross site scripting attack with XML external entity injection while doing bug bounty. It happens many times when a bug is found then after trying for some time it ends.

But as long as you do not think of going out of the way, even if there is a bug in the website, you feel that there is no bug in this website, so all you have to think is how to implement one or more attack at the same time.

The Conclusion

I hope that Now you know about XML external entity injection, here we have practically told you about XML external entity injection using image file upload.

You can also use other labs in the same way, everything has been told to you, how you have to perform this attack, you can also try it, so you must first try to solve other labs by yourself.

If you do not know, you can tell us by commenting, we will tell you how to solve other labs as well, but if you try yourself, your skills improve in this as well as you get to learn something new.

This work can also be done with the help of burp suite. We have not told you much about how to use burp suite but soon you will also be told how to find bugs with the help of burp suite.

If you have any kind of question related to XML external entity injection or related to Ethical hacking, in such a way, you can ask in the comment, we will help you completely.

If you liked this article of ours, then you must share this article with us, as well as support us, you are taught everything on this website for free. Subscribe to our blog for latest updates

Sharing is caring


Be the first to comment

Leave a Reply

Your email address will not be published.