Comprehensive XXE Guide
Comprehensive XXE Guide A practitioner’s reference for XML External Entity injection — fundamentals, parser quirks, in-band and out-of-band exfiltration, parameter entity chains, file-format vectors, real-world CVEs, tooling, and hardening. Compiled from 40 research sources. Table of Contents Fundamentals Attack Surface & Entry Points Classic In-Band XXE Blind XXE via External DTD Error-Based XXE Parameter Entities & Local DTD Chains XXE → SSRF Pivoting XXE → File Read & Information Disclosure XXE → RCE Parser-Specific Behaviors XML File-Format Vectors WAF & Filter Bypasses Denial of Service Real-World CVEs & Chains Tooling Detection & Prevention Payload Quick Reference 1. Fundamentals XXE (XML External Entity) injection occurs when an XML parser processes attacker-controlled input with DTD (Document Type Definition) and external entity resolution enabled. The parser treats SYSTEM identifiers as URIs, fetching and substituting their content into the document — yielding file read, SSRF, blind exfiltration, DoS, and in some stacks RCE. ...