XML External Entity (XXE) Injection

XXE injection abuses an XML parser that resolves external entities, letting an attacker read local files, reach internal services, and exfiltrate data.

XML External Entity (XXE)Generate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

XXE occurs when an application parses attacker-controlled XML with external entity resolution enabled. Defined entities can reference local files or remote URLs, so the parser returns file contents or makes server-side requests on the attacker's behalf.

How to test for it

Submit XML that defines an external entity pointing at a local file or a URL you control, and check whether the file contents appear in the response or an inbound request arrives. Use out-of-band and parameter-entity techniques for blind XXE.

How to prevent it

Disable DOCTYPE declarations and external entity resolution in the XML parser — the configuration varies per library but the goal is the same. Prefer less complex data formats like JSON where XML isn't required.

In-depth articles

XXE Injection: Complete Exploitation Guide with OOB Exfiltration14 min read

Frequently asked questions

What can an attacker do with XXE?+

Read local files, perform SSRF against internal services, exfiltrate data out-of-band, and in some parsers cause denial of service — all by controlling the XML an application parses.

What is blind / out-of-band XXE?+

When the parsed result isn't reflected back, attackers use parameter entities to send file contents to an external server they control, recovering data through DNS or HTTP callbacks.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...