What is XML External Entity (XXE)?

Definition

XXE

What is XML External Entity?

A vulnerability in applications that parse XML input with a misconfigured parser that allows the processing of external entity references embedded in the document. XXE attacks can read arbitrary files from the server filesystem, trigger server-side request forgery, enumerate internal network services, and in some cases achieve remote code execution via error-based exfiltration. XXE is prevented by disabling external entity processing in XML parsers and using safer serialization formats such as JSON where XML is not required.

Related terms

Server-Side Request Forgery (SSRF) →

A vulnerability that allows an attacker to induce a server to make HTTP requests to arbitrary internal or external destinations on their behalf, bypassing network segmentation and firewall controls.

Remote Code Execution (RCE) →

A critical vulnerability class that allows an attacker to execute arbitrary commands or code on a target system from a remote location, typically without requiring physical access or prior authentication.

Payload →

The component of an attack that performs the attacker's intended malicious action after a vulnerability has been triggered.

OWASP Top 10 →

A regularly updated consensus list of the ten most critical security risks to web applications, published by the Open Web Application Security Project (OWASP).

Put this into practice

Autonomous OWASP vulnerability scanning →

See how Penetrify's autonomous AI agents find and validate this class of security issue in your application.