XML External Entity (XXE) happens when an XML parser is allowed to resolve external entities and the application parses untrusted XML. An external entity is a placeholder that tells the parser to fetch data from a file or a URL at parse time. If that feature is enabled, the attacker can make the server read local files or contact internal services.
In practice, XXE comes from two conditions:
1) The app parses attacker controlled XML.
2) The parser is configured to allow DTDs and entity expansion.
The impact depends on what the parser can access. Most common outcomes are local file read (for example /etc/passwd), server-side request forgery (SSRF) to internal endpoints, and sometimes denial of service via heavy entity expansion.
Example
Imagine the following PHP code that parses user supplied XML with a configuration that enables external entities.
The dangerous part is the combination of LIBXML_DTDLOAD (allow DTDs) and LIBXML_NOENT (expand entities). If an attacker controls the XML body, they can declare an external entity and reference it inside the document. For example, the following payload reads /etc/passwd from the server:
When the parser expands &xxe;, the file content is injected into the XML tree. A simplified response could look like:
External entities can also point to internal URLs, which turns XXE into SSRF. The parser will make the HTTP request and inject the response into the XML tree:
Trainings
Now that you know the basics of XXE, you can practice on the following challenges: