ShieldReport
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign InRun Free Scan
Run Scan
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign In
← Back to Wiki

XML External Entity (XXE)

high
A05:2021CWE-611Injection

What is XXE?

XXE attacks target applications that parse XML input by exploiting external entity processing to read local files, perform SSRF, or cause denial of service.

How it works

An attacker sends XML with a malicious DTD defining external entities pointing to file:// or http:// URIs. The XML parser resolves these entities, reading local files like /etc/passwd or making server-side requests.

Impact

Local file disclosure, SSRF to internal services, denial of service via recursive entity expansion (billion laughs attack), and port scanning.

How ShieldReport detects this

ShieldReport tests XML-accepting endpoints with external entity payloads and monitors for out-of-band interactions.

How to fix it

Disable external entity processing in all XML parsers. Use JSON instead of XML where possible. Validate and sanitize XML input. Keep XML libraries updated.

Tags

injectionxmlfile-disclosure

Is your site vulnerable to XXE?

Run a free scan to find out in under 2 minutes.

Scan Now
ShieldReport

Website security scanning and reporting for developers, teams, and agencies.

ShieldReport - Security reports done in minutes which developers understand | Product Hunt

Product

  • Free Security Scan
  • What We Check
  • Pricing
  • Sample Report

Resources

  • Security Blog
  • FAQ
  • Website Security Checklist
  • CSP Guide

Topics

  • Security Headers
  • TLS Configuration
  • OWASP Top 10
  • Vulnerability Scanning

© 2026 ShieldReport. All rights reserved.

Run Free ScanPricingBlogSitemapRSS Feed