Injection: XML External Entity (XXE) via File Upload¶
Identifier:
file_upload_xxe
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
XML External Entity (XXE) attacks via file upload (CWE-611) occur when an application parses an attacker-supplied XML document (SVG, DOCX, XLSX, generic XML) with an XML parser that resolves external entities. Successful exploitation can leak local files, trigger SSRF, or cause parser DoS.
How we test: For each detected upload endpoint we submit a tiny XML / SVG / OOXML payload whose DTD references an external entity pointing at the Escape out-of-band collector (ssrf.tools.escape.tech) with a unique per-probe identifier. The payloads stay OOB-only: we do not attempt local-file exfiltration (file:///etc/passwd) in the default catalogue. Confirmation comes from a tagged callback at the OOB collector API. Every variant uses a per-scan canary filename so it cannot collide with real customer files.
Every probe emits a context.info event with the raw multipart request and the upload response as attachments.
References:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://cwe.mitre.org/data/definitions/611.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.