LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are XML External Entities (XXE) and how do they work?

XXE abuses an XML parser that's configured to resolve external entities: the attacker defines an entity pointing at a local file or URL, and the parser fetches it — e.g. &xxe; defined as file:///etc/shadow dumps that file into the response.

XXE: attacker XML defines an external entity; a misconfigured parser resolves it to a local file or an internal URL (SSRF).

* XXE — an external entity in attacker XML resolves to a local file read or an internal request (SSRF) when the parser allows it. *

It's classed under A05 Security Misconfiguration because the flaw is a parser left in a dangerous default mode (external entity resolution enabled).

XML Entities:

  • Key/value pairs (e.g., &lt; = <)
  • Defined in DTD (Document Type Definition)
  • Can be internal or external

Custom entity example:

<!DOCTYPE foo [ <!ENTITY myentity "value" > ]>

External entity (dangerous):

<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://something.com" > ]>

File read attack:

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/shadow" >
]>
<foo>&xxe;</foo>

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 05, 2026