XXE SSRF Practice – Information Security Stack Exchange

Hello Im trying to implement a simple demo – to better understand XXE and SSRF techniques.
I have written these two files below at an attempt to set this up.

I currently intercept the AJAX POST request and modify the data (params) by appending:
<!DOCTYPE foo ( <!ENTITY xxe SYSTEM “file:///etc/passwd”> )>

*I have also tried another local file instead of /etc/passwd; as i wasnt sure if its due to the www-data can access the given file

I’ve read that PHP v8+ has patched the built-in parsers to not allow external entities by default.
Hence i tried adding the following; though I believe its deprecated –

Despite this it seems like my XXE attempt is not working and im not entirely sure why?

xxe.php –

<!DOCTYPE html>
<button type="button" onclick="postData()">Post data</button>

function postData(){
 var xHTTP = new XMLHttpRequest();
 var params = "<?xml version='1.0'?><entry><row>1</row><ex>a</ex><row>2</row><ex>b</ex></entry>";

 xHTTP.onreadystatechange = function(){
  if(this.readyState == 4){
 xHTTP.open("POST", '/xxe_post_handler.php', true);
 xHTTP.setRequestHeader("Content-Type", "application/xml");

xxe_post_handler.php –


 $postData = trim(file_get_contents('php://input'));
 $xml = simplexml_load_string($postData);

 foreach($xml->children() as $child){
  printf("XML child: %sn", $child);

 $xmlDOM = new DOMDocument();

 $xD = $xmlDOM->documentElement;
 foreach($xD->childNodes AS $xN){
  print $xN->nodeName . " = " . $xN->nodeValue . "<br>";

enter image description here