Quiz Entry - updated: 2026.06.20
What vulnerabilities can XXE lead to and how do you prevent them?
XXE can read local files, cause DoS (billion-laughs entity expansion), trigger SSRF, and sometimes RCE. The cleanest fix is to disable DTD/external-entity processing in the parser — or avoid XML for untrusted input altogether.
XXE (XML External Entity) exploits XML parsers configured to process external entity references in DTDs. An attacker crafts malicious XML with <!ENTITY> declarations that reference external resources (local files, URLs), and the parser resolves them — leaking data or triggering server-side actions.
XXE can lead to:
- Data leak & exfiltration - Read local files
- DoS - Billion laughs attack (entity expansion)
- RCE - Remote code execution in some configurations
- SSRF - Server-side request forgery
Countermeasures:
- Use other formats like JSON instead of XML
- Disable processing of XXE and DTD in XML parsers
- Update components to patched versions
- Validate XML and XSL input