Attacker injects malicious XML entities to read local files, perform SSRF, or interact with internal systems
Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Red Flags
<!DOCTYPEinside request body<!ENTITYdeclarationsSYSTEMorPUBLICexternal references- Requests containing XML with unexpected external URLs
- File path references (
file:///etc/passwd,C:\Windows\win.ini)
Filters
# XML DOCTYPE declaration
http contains "<!DOCTYPE"
# External ENTITY declaration
http contains "<!ENTITY"
# SYSTEM keyword (external entity reference)
http contains "SYSTEM"
# File protocol usage
http contains "file://"
# Common sensitive file targets
http contains "/etc/passwd" or http contains "win.ini"