The Billion Laughs Bomb

YuvaSecYuvaSec
4 min read

Introduction

XML External Entity (XXE) attacks are not just theoretical, they're dangerously real. If your application processes XML in any way, API, file upload, or SOAP, you may already be vulnerable. And many developers don’t even know it.

In this article, I’ll walk you through how XXE attacks work, how attackers exploit them step-by-step, real-world examples, and how to secure your stack. This is your field guide to surviving the XXE wilderness.

Understanding XXE Injection: The Fundamentals

What is XXE?

An XML External Entity (XXE) attack targets vulnerable XML parsers. It leverages the <DOCTYPE> declaration and entities to access restricted files, perform internal HTTP requests, or even cause a Denial of Service.

If your XML parser allows external entities (enabled by default in many platforms), attackers can use payloads like:

<!DOCTYPE data [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>

Impact? Your server could unknowingly leak sensitive data, query internal services, or crash entirely.

Key XML Concepts

  • Document Type Definition (DTD): Declares rules and entities for the XML doc.

  • Entities:

    • Internal: Text substitution within XML.

    • External: References to outside files or URLs (the core of XXE attacks).

    • Parameter Entities: Used inside DTDs, key to advanced and blind XXE.

The Real Problem: Weak Parsers

Many parsers default to resolving DTDs. That’s like leaving the vault door ajar because the manual says it’s “a feature.”

Types of XXE Attacks and Their Impacts

1. File Disclosure

<!ENTITY xxe SYSTEM "file:///etc/passwd">

Impact: Attacker reads OS, app configs, credentials, or SSH keys.

2. Server-Side Request Forgery (SSRF)

<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">

Impact: Access cloud instance metadata (AWS, Azure), scan internal services.

3. Denial of Service (DoS)

Billion Laughs Payload:

<!ENTITY lol "lol"> ... <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;">

Impact: Crashes parser with exponential entity expansion.

4. Blind XXE (OOB or Error-Based)

  • Out-of-Band (OOB): Reads file, sends contents to http://attacker.com

  • Error-based: Triggers an error message that leaks the content

How Hackers Exploit XXE – Step-by-Step

Step 1: Locate XML Inputs

  • Upload portals (.xml, .docx, .svg)

  • SOAP APIs

  • Hidden fields processed as XML

Step 2: Test the Waters

Inject a simple payload:

<!DOCTYPE test [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<test>&xxe;</test>

Look for reflected data, errors, or strange delays (DoS).

Step 3: Craft Exploits

  • File read: file:///etc/shadow

  • SSRF: http://localhost:8080/admin

  • Blind XXE: Use external DTDs or DNS

Step 4: Data Exfiltration

  • Capture via attacker-controlled URL

  • Observe logs for OOB requests

  • Decode errors for leaked values

Real-World Incidents

  • IBM WebSphere: XXE enabled access to server-side files.

  • SharePoint & DotNetNuke: File upload paths led to XXE vectors.

  • PostgreSQL: Affected through XML import features.

Even mature systems are vulnerable when DTD processing is left enabled.

Vulnerable vs. Secure Code Snippets

Java (Bad)

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
Document doc = factory.newDocumentBuilder().parse(input);

Java (Good)

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

PHP (Bad)

$xml = simplexml_load_string($xmlInput);

PHP (Good)

libxml_disable_entity_loader(true);

Mitigation Strategies

Mitigation Strategies

Disable DTDs and external entity resolution

Use schema validation (XSD)

Sanitize XML input

Patch your libraries regularly

Use Web Application Firewalls and RASP

Run apps with least privileges

Conclusion

XXE is not a bug—it’s a misuse of an XML feature. Most vulnerabilities arise from insecure defaults and developer unawareness.

The fix? Proactively disable external entity parsing. Understand your parser. Test aggressively.

Secure your apps before attackers secure your data.

Disclaimer

This blog is intended solely for educational and ethical learning purposes. Do not attempt to exploit systems without legal authorization. Always use these techniques in safe lab environments.

Further Reading

  1. OWASP XXE Cheat Sheet

  2. PortSwigger Web Security Academy – XXE

  3. Synack: Deep Dive into XXE

  4. Cobalt: Executing XXE Attacks

  5. OWASP: XXE in Real-World Scenarios

0
Subscribe to my newsletter

Read articles from YuvaSec directly inside your inbox. Subscribe to the newsletter, and don't miss out.

xxexmlwebdevWeb DevelopmentSecurity#cybersecurity

Written by

YuvaSec
YuvaSec

Cybersecurity Enthusiast | Ex-Mechanical Engineer | Lifelong Learner Pivoting into InfoSec On a mission to build skills, break stuff (ethically), and land a job in cybersecurity.