XXE Injection in docx: entity not defined

Information Security Asked by Sorokine on November 5, 2020

My goal is to create a docx file that, when uploaded to a server and parsed there, causes the parser to fetch my url so I know it worked.

Unfortunately, I only have Libre Office and not MS Office at my hands. When I open the file with Libre Office, I get an error:

SAXException: [word/document.xml line 2]: Entity ‘xxe’ not defined

Seems like I did something wrong with my XML syntax, but I can’t figure out what.

The document.xml in the file starts like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "thisismyurl">]><w:document (...)

(Replaced my actual url for readability)

And then later, I have:


I created my file with docem. Using the predefined docem payloads results in the same error. Any idea what could have gone wrong? Thank you a lot!

One Answer

You probably are supposed to get an error. You just injected "something" into the xml parts of the docx file which the application(Word or Libre) isn't used to reading and thus it doesn't understand how to process and display that. If you're trying to test it, you should be uploading it to a Test Server with a vulnerable parser and then check for any pingbacks to your Server/Url.

Answered by Satyam Gothi on November 5, 2020

Add your own answers!

Related Questions

NTRUEncrypt in TLS and GPG encryption

3  Asked on November 17, 2020 by rubo77


XXE Injection in docx: entity not defined

1  Asked on November 5, 2020 by sorokine


How to send cookie to API on seperate domain in safari

1  Asked on October 29, 2020 by harrison-lucas


Pentesting Webserver Dead End (MySQL White Listing Bypass)

1  Asked on October 25, 2020 by cromwell-rosalin


Proxying MetaSploit through BurpSuite

1  Asked on October 16, 2020 by python


Why would hackers attack a DNS server with a DoS?

1  Asked on September 1, 2020 by alexis-wilke


OIDC Hybrid flow

1  Asked on August 21, 2020 by pdstat


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP