Top 25 XXE Bug Bounty Reports

In this article, we will discuss XXE vulnerability, how to find one, and present 25 disclosed reports based on this issue.

What is XXE?

XXE stands for “XML External Entity”, and it is an injection vulnerability in which the attacker exploits the XML parser of an application (the way how the system processes XML-based input).

This vulnerability is dangerous because it can be leveraged, and it can lead to multiple attack types that could result in a full compromise of the application.

A critical requirement for such an attack to work is to have XML entities enabled within the parser.

Types of XXE

• Reflected XXE: the exploitation outcome will be decided based on the application’s output, such as a response reflected in the web page, or a file being downloaded directly.
• Blind XXE: the exploitation outcome will be decided based on the application’s execution, such as causing a Denial-of-Service (DoS), or sending ping requests to an external host controlled by the attacker.

Common XXE Attack Vectors and Payloads

• Test if entities are enabled

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY test "pentest"> ]>
 <root>…