search
LinkedInGithub
githubEdit

xxe-format

Extensible Markup Language (XML) is a common markup language designed for flexible data transfer and storing of data in various types of applications. XML uses HTML like structure.

XML/Email format

<?xml version="1.0" encoding="UTF-8"?>`
<email>
  <date>01-01-2022</date>
  <time>10:00 am UTC</time>
  <sender>john@inlanefreight.com</sender>
  <recipients>
	<to>HR@inlanefreight.com</to>
	<cc>
		<to>billing@inlanefreight.com</to>
		<to>payslips@inlanefreight.com</to>
	</cc>
  </recipients>
  <body>
  Hello,
	  Kindly share with me the invoice for the payment made on January 1, 2022.
  Regards,
  John
  </body> 
</email>

hashtag
XML DTD

XML Document Type Definition (DTD) allow to validate of an XML document against a pre-defined document structure.

The above document can be referenced through:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE email SYSTEM "email.dtd"> OR <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE email SYSTEM "http://inlanefreight.com/email.dtd">

XML entities

We may also define custom entities in XML DTDs, to allow refactoring of variables and reduce repetitive data. This can be done with the use of ENTITY keyword.

Once we define an entity, it can be referenced in an XML document between an ampersand & and a semi-colon; (e.g. &company;). Whenever an entity is referenced, it will be replaced with its value by the XML parser. Most interestingly, however, we can reference External XML Entities with the SYSTEM keyword

We may also use the PUBLIC keyword instead of SYSTEM for loading external resources, which is used with publicly declared entities and standards, such as a language code lang="en". In this module, we'll be using SYSTEM, but we should be able to use either in most cases.

We should know that which element is reflecting back on the web page.

Previousxxe-external-entity-injectionNextXXE injection

Last updated