What Is XXE (XML External Entity)?

XXE (XML External Entity injection) is a vulnerability where an XML parser is induced to dereference attacker-controlled external entities — letting the attacker read local files, reach internal services (SSRF), or in some configurations execute code. CWE-611 (Improper Restriction of XML External Entity Reference) is the canonical identifier.

The classic payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>. If the parser dereferences external entities by default, the file content is included in the parse result — and the response. Variants include: out-of-band (entity points to attacker server, exfiltrate via HTTP), blind (use parameter entities to bypass response filtering), billion-laughs DoS, and SSRF-via-XXE (entity points to internal HTTP service or cloud metadata).

Any feature that accepts XML input: SOAP APIs (Microsoft's WCF, Java JAX-WS), OAuth/SAML callback handlers, XML import features (CSV, DOCX, PDF metadata), SVG uploads, Office Open XML (.docx contains XML), RSS feed parsers, and configuration file uploads. Modern JSON-only APIs are not vulnerable directly — but file-upload features often parse XML somewhere in the chain.

For every XML-accepting endpoint, the validator submits a payload with an external entity pointing at a SQUR-controlled OOB server. Confirmed when the OOB server receives the request. For blind XXE, the validator uses parameter entities and observes timing-based or error-based oracle channels.

Configure the XML parser to disable external entities and DTDs. In Java: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true). In Python lxml: resolve_entities=False, no_network=True. In .NET: XmlReaderSettings.DtdProcessing = Prohibit. Defence in depth: validate XML schema; reject unexpected attributes; never trust the XML parser's default config.

Related terms

Try SQUR

60-second free attack-surface scan. No signup, no credit card.