IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. XML External Entity Injection (XXE)
Server-SideHigh

XML External Entity Injection (XXE)

Also known as: XXE

XML External Entity (XXE) injection targets applications that parse XML using a processor configured to resolve external entities. By defining a malicious DOCTYPE, an attacker can read local files, trigger server-side requests (SSRF), or exhaust resources. XXE typically stems from insecure default parser configurations.

CWE
CWE-611
OWASP
A05:2021

How it works

  1. 1The application parses attacker-supplied XML (uploads, SOAP, SAML, document formats).
  2. 2The XML parser has external entity resolution enabled.
  3. 3The attacker declares an external entity pointing at a local file or internal URL.
  4. 4The parser resolves it, returning file contents or issuing an internal request.

Example

<?xml version="1.0"?>
<!DOCTYPE data [
  <!ENTITY x SYSTEM "file:///etc/passwd">
]>
<data>&x;</data>
An external entity reading a local file.

Impact

XXE can disclose sensitive files, pivot into SSRF against internal services, and cause denial of service. In some stacks it escalates to remote code execution.

Remediation

  • Disable DOCTYPE and external entity resolution in every XML parser.
  • Prefer less complex data formats (JSON) where XML is not required.
  • Patch and configure parsers to the secure defaults documented by OWASP.
  • Validate uploads and reject XML containing DOCTYPE declarations.

Detection & testing

Submit XML with benign external entities and out-of-band callbacks to detect resolution. Review every XML-parsing entry point, including SAML and document uploads.

Impactr tests for XML External Entity Injection (XXE) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for XXE

Tools

ImpactrBurp SuiteOWASP ZAPinteractsh

Frequently asked questions

Why did XXE move under Security Misconfiguration in OWASP 2021?

In the 2021 Top 10, XXE was merged into A05:2021 – Security Misconfiguration, reflecting that it usually results from insecure parser configuration rather than a distinct category.

Related concepts

Server-Side Request Forgery (SSRF)Path Traversal (Directory Traversal)Insecure Deserialization
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub