Categories: Cyber Security

What are XXE Attacks? A Comprehensive Guide (2021)


An XML External Entity attack (XXE attack) is a type of attack against an XML input parsing program. This attack occurs when an XML parser that is weakly designed processes XML information containing an external object relation. In this article, we will discuss XEE attack, XML external entity, XEE example, XEE prevention and, XEE vulnerability.

In this article let us look at:

  1. What is XML external entity injection?
  2. How do XXE vulnerabilities arise?
  3. What are the types of XXE attacks?
  4. Exploiting XXE to retrieve files
  5. Finding hidden attack surface for XXE injection
  6. How to find and test for XXE vulnerability?
  7. How to prevent XXE vulnerability?

1. What is XML external entity injection?

XXE is a vulnerability of web security that allows an application to interfere with XML data processing by an attacker. Often, it helps an attacker to view files on the filesystem of the application server and to communicate with any backend or external structures accessed by the application itself. This attack can lead to sensitive data disclosure, denial of service, forgery of server-side requests, port scanning from the perspective of the computer where the parser is located, and other impacts on the device.

2. How do XXE vulnerabilities arise?

The simple answer to this question, XEE vulnerability can be triggered when

Is that the XEE (XML Eternal Entity Injection) vulnerability can be activated when certain endpoints that accept XML as input are detected. But often, you may find cases where the endpoints that accept XML may not be so evident (for example, those cases where the client uses only JSON to access the service). In these situations, a pen tester must try various things to see how the application reacts, such as changing the HTTP methods, Content-Type, etc. If the content is parsed by the application, then there is a scope for XXE.

3. What are the types of XXE attacks?

Various forms of XXE attacks exist:

  • Exploit XXE to recover files, where an external object that holds a file’s contents is specified and returned in the application’s response.
  • Exploit XXE to carry out SSRF attacks that specify an external entity based on the URL of the back-end system.
  • To exfiltrate out-of-band data, Blind XXE is used when sensitive data is transferred from the application server to an attacker-managed computer.
  • Using blind XXE to extract data through the error messages where the attacker may trigger a sensitive data-containing parsing error message.

4. Exploiting XXE to retrieve files

There are two ways:

  • Enter (or edit) a DOCTYPE element that specifies an external entity that contains the file path.
  • To make use of the defined external entity, edit the data value in the XML returned in the application’s response.

5. Finding hidden attack surface for XXE injection

The attack surface of XXE vulnerabilities is less apparent in certain unusual instances. 

  • XInclude Attacks: An example of this occurs when data sent by the customer is incorporated into a SOAP backend request, which is then carried out by the SOAP backend operation. You can’t perform a classic XXE attack in this case because you don’t control the entire XML document, so you can’t define or change a DOCTYPE feature. You may be able to use XInclude instead, however. XInclude is a part of the XML specification that makes it possible to create an XML document from sub-documents.

6. How to find and test for XXE vulnerability?

There are two options you have – manual or automatic. The overwhelming majority of XXE Vulnerabilities can be identified for you easily and accurately by Burp Suite Specialist.

Checking for XXE vulnerabilities manually normally involves:

  • Checking for file recovery by identifying an external entity based on a well-known file of the operating system and using that entity in the data returned in the response of the application.
  • Checking for blind XXE vulnerabilities by identifying and monitoring connections with a URL-based external object on a device that you control. For this function, the Burp Collaborator client is optimal.
  • Using an XInclude attack to try to extract a well-known operating system file, checking for insecure inclusion of user-supplied non-XML data inside a server-side XML document.

7. How to prevent XXE vulnerability?

Virtually all XXE vulnerabilities occur because the XML parsing library of the application supports potentially hazardous XML features not necessary or expected to be used by the application. Disabling such features is the simplest and most effective way of avoiding XXE attacks.

Generally, disabling the resolution of external entities and disabling support for XInclude is appropriate. This can usually be done through configuration options or by overriding the default behaviour programmatically. 


The addition of XXE attacks to the OWASP top 10 in 2017 as a new category was the result of an increased attack presence in many environments of this type of vulnerability. XXE was used by attackers to manipulate poorly configured XML processors, which are set by default in many instances, to allow an external entity relation to be defined within XML documents. By uploading XML documents or by manipulating insecure code and third-party dependencies, attackers have discovered ways to expose this vulnerability by using external entities for attacks.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.


Ajay Sarangam

Published by
Ajay Sarangam

Recent Posts

Books on Analytics

Analytics is a vast field. At the one end, it overlaps with statistics and higher…

Career in analytics in a KPO

Do you love to explore and investigate information? Do you find spreadsheets to be a…

Indian companies using analytics

India has developed into the global hub for analytics. A large number of MNCs have…

IBM: Betting big on analytics

International Business Machines Corp. Or IBM as it is popularly known recently announced its restructuring…

How to build a successful career in analytics

So you have got a job as an analyst in your dream company? Here are…

What’s the sentiment on “sentiment analysis”?

What's the sentiment on "sentiment analysis"? Is the field ready to take off?