XML external entity attacks (XXEs)ΒΆ

Portswigger Academy XML external entity (XXE) injection Labs

XML external entity attacks (XXEs) are fascinating vulnerabilities that target the XML parsers of an application.

XXE is less common (~10-15% of apps) but extremely dangerous when present. You can find it in legacy APIs (SOAP, XML-RPC), PDF generators, Office docs (e.g., SVG/XML parsing), and misconfigured cloud services (AWS S3, Azure Blob).

Testing for it is worth it for systems processing XML (e.g., finance, healthcare) because it can lead to SSRF, RCE, or data leaks (e.g., /etc/passwd).


Last update: 2025-05-19 17:27