Quiz Entry - updated: 2026.07.05
What are XML External Entities (XXE) and how do they work?
XXE abuses an XML parser that's configured to resolve external entities: the attacker defines an entity pointing at a local file or URL, and the parser fetches it — e.g. &xxe; defined as file:///etc/shadow dumps that file into the response.
* XXE — an external entity in attacker XML resolves to a local file read or an internal request (SSRF) when the parser allows it. *
It's classed under A05 Security Misconfiguration because the flaw is a parser left in a dangerous default mode (external entity resolution enabled).
XML Entities:
- Key/value pairs (e.g.,
<=<) - Defined in DTD (Document Type Definition)
- Can be internal or external
Custom entity example:
<!DOCTYPE foo [ <!ENTITY myentity "value" > ]>
External entity (dangerous):
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://something.com" > ]>
File read attack:
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/shadow" >
]>
<foo>&xxe;</foo>
Go deeper:
PortSwigger — XXE injection — entity mechanics, file-read / SSRF / blind variants, with labs.
XML external entity attack (Wikipedia) — concise write-up with concrete
file://disclosure andexpect://RCE examples.