Module 10 · XML External Entity Injection (XXE)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 19, 2026
11 min read
Read as

Last updated: May 1, 2026

100% Free

No signup. No paywall. No catch. One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.

See all 10 free modules →

XML External Entity (XXE) injection exploits XML parsers that process references to external entities. A classic vulnerability in XML-consuming applications — SOAP services, document upload features, SAML, configuration parsers. Can lead to file disclosure, SSRF, DoS, and RCE.

XML External Entity (XXE) injection exploits XML parsers that process references to external entities. A classic vulnerability in XML-consuming applications — SOAP services, document upload features, SAML, configuration parsers. Can lead to file disclosure, SSRF, DoS, and RCE.

How XXE works

XML supports external entities — references to external resources. When a parser fetches the referenced content and substitutes it into the document, attacker-controlled references can point at sensitive local files or internal URLs.

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

Parser sees &xxe;, expands it to contents of /etc/passwd. If the parsed content is echoed back (e.g. in an API response), attacker receives the file.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 9
Module 9 · Server-Side Request Forgery (SSRF)
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Beginner

How HTTP actually works at the wire level — methods, status codes, headers, cookies, TLS. The…

Apr 19, 2026 · 11 min read
Academy
Module 2 · Beginner

Subdomain enumeration, technology fingerprinting, directory brute-forcing, JavaScript bundle analysis, and Wayback reconnaissance.

Apr 19, 2026 · 11 min read
Academy
Module 3 · Beginner

Username enumeration, password spraying, credential stuffing, session attacks, JWT vulnerabilities, OAuth/SAML flaws, MFA bypasses.

Apr 19, 2026 · 11 min read