LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What vulnerabilities can XXE lead to and how do you prevent them?

XXE can read local files, cause DoS (billion-laughs entity expansion), trigger SSRF, and sometimes RCE. The cleanest fix is to disable DTD/external-entity processing in the parser — or avoid XML for untrusted input altogether.

XXE (XML External Entity) exploits XML parsers configured to process external entity references in DTDs. An attacker crafts malicious XML with <!ENTITY> declarations that reference external resources (local files, URLs), and the parser resolves them — leaking data or triggering server-side actions.

XXE can lead to:

  • Data leak & exfiltration - Read local files
  • DoS - Billion laughs attack (entity expansion)
  • RCE - Remote code execution in some configurations
  • SSRF - Server-side request forgery

Countermeasures:

  • Use other formats like JSON instead of XML
  • Disable processing of XXE and DTD in XML parsers
  • Update components to patched versions
  • Validate XML and XSL input

See: OWASP XXE Prevention Cheat Sheet

From Quiz: SPRG / OWASP Top 10 | Updated: Jun 20, 2026