An XXE (XML External Entity) payload abuses an XML parser that resolves external entities defined in the document's DOCTYPE. By declaring an entity that points to a local file or URL, an attacker can read files like /etc/passwd, perform SSRF, or trigger out-of-band requests when the parser expands the entity into the response or a callback.
Use a parameter entity in an external DTD hosted on your server to wrap the target file in a URL, then trigger an HTTP or FTP request back to you. The XXE generator builds these OOB chains, including the nested-entity trick needed because many parsers forbid parameter entities inside internal subsets.
Point an external entity at an internal URL such as http://169.254.169.254/latest/meta-data/ to make the parsing server fetch IAM credentials or instance data on your behalf. This works because the vulnerable server, not your machine, resolves the entity, bypassing network filtering.
Yes. The XXE generator and every tool on Payload Playground are completely free and run 100% in your browser, so no XML, target details, or payloads are ever sent to a server. Use it only against systems you are authorized to test.