XXE Injection in docx: entity not defined

Information Security Asked by Sorokine on November 5, 2020

My goal is to create a docx file that, when uploaded to a server and parsed there, causes the parser to fetch my url so I know it worked.

Unfortunately, I only have Libre Office and not MS Office at my hands. When I open the file with Libre Office, I get an error:

SAXException: [word/document.xml line 2]: Entity ‘xxe’ not defined

Seems like I did something wrong with my XML syntax, but I can’t figure out what.

The document.xml in the file starts like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "thisismyurl">]><w:document (...)

(Replaced my actual url for readability)

And then later, I have:


I created my file with docem. Using the predefined docem payloads results in the same error. Any idea what could have gone wrong? Thank you a lot!

One Answer

You probably are supposed to get an error. You just injected "something" into the xml parts of the docx file which the application(Word or Libre) isn't used to reading and thus it doesn't understand how to process and display that. If you're trying to test it, you should be uploading it to a Test Server with a vulnerable parser and then check for any pingbacks to your Server/Url.

Answered by Satyam Gothi on November 5, 2020

Add your own answers!

Related Questions

Cookie-to-Header CSRF protection vs CORS

2  Asked on February 19, 2021 by karlis-filipsons


Hydra http-post-form based on length of the response

1  Asked on February 13, 2021 by riccardo-d


Podman: What if user is member of docker group?

1  Asked on February 13, 2021 by dotcs


Case sensitive logins

2  Asked on February 12, 2021 by bobif


What types of modern phone tapping exist today?

0  Asked on February 10, 2021 by begs-the-hessian


How does a hacker reach a back-end file to exploit it?

1  Asked on February 9, 2021 by cronos


MageCart attack on Newegg

1  Asked on February 8, 2021 by integratethis


SNMP Enumeration

1  Asked on January 21, 2021 by 1afx0


Fixing BLE Passkey Entry with SRP

0  Asked on January 21, 2021 by compsciguy


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP