🔒 Academy Room 9 · Hard

XML External Entity (XXE) Injection

Learn XXE the way it's actually exploited — hands-on, against a live target. Read server-side files and pivot into internal-only services through a single vulnerable XML parser in the LedgerFlow lab.

⚡ Start the XXE Lab How it works →
// Overview

What Is XML External Entity Injection?

XML External Entity injection is a vulnerability that arises when an application parses XML input and the parser is allowed to resolve external entities — references inside the XML document that point at resources outside it. When an attacker controls that XML, they can make the server fetch and disclose local files, reach services that are only reachable from inside the network, or exhaust resources with a denial-of-service payload.

XXE is deceptively common because the sink is invisible unless you know to look for it. Any endpoint that accepts XML — a SOAP API, a document importer, a file-upload flow that unpacks XML under the hood, a feed parser — is a candidate. The bug almost always comes down to a parser configured to trust the document it's given.

// Why It Matters

Real-World Impact

Local File Disclosure

Read files off the server

An external entity can reference a path on the server's own filesystem. When the parser resolves it, the file's contents are pulled into the document — exposing configuration, credentials, or source code that was never meant to leave the box.

SSRF via XXE

Reach internal services

The same mechanism can point at an internal URL instead of a file. The server dutifully fetches it, letting an attacker reach admin panels, metadata endpoints, and microservices that return 403 to the outside world — turning an XML bug into a network pivot.

// OWASP

Where XXE Sits in the OWASP Top 10

XXE was its own category — A4 — in the OWASP Top 10 2017. In the 2021 revision it was consolidated into A05:2021 – Security Misconfiguration, reflecting that the root cause is an insecure parser configuration rather than a flaw in XML itself. The impact classes below are what make it a high-severity finding.

Impact What the attacker gains Severity
File disclosure Read arbitrary server-side files High
SSRF Reach internal-only network services High
Denial of service Exhaust memory via recursive entities Medium
Data exfiltration Blind out-of-band retrieval of file contents High
// The Workflow

How PhantomRed Fits Into an XXE Assessment

The core lesson of Room 9 is that automation and human judgment are a pipeline, not a competition. An autonomous scan maps the attack surface in minutes — the exposed paths, the forbidden endpoints, the open ports. But XXE is interaction-based: it only reveals itself when you submit a crafted document and watch how the server responds. That's the gap a human closes.

In the lab, you run a real PhantomRed scan against LedgerFlow, read the findings it surfaces, then take over manually to prove the XXE the scanner can't see:

This is the same progression Room 8 introduced with a dedicated SSRF lab — and XXE is where the two classes chain together, since an external entity can drive the SSRF itself.

// What You'll Learn

Learning Objectives

Concepts

  • What XML external entities are and why parsers resolve them
  • Which parser flags re-enable dangerous entity handling
  • How XXE maps onto the OWASP Top 10

Hands-On Skills

  • Reading a scan report to map an XML-parsing attack surface
  • Disclosing server-side files through a crafted entity
  • Pivoting to internal-only endpoints via XXE-driven SSRF
// FAQ

Frequently Asked Questions

What is XXE (XML External Entity injection)?
XXE is a web vulnerability where an application parses XML input that references external entities. When the parser resolves those entities, an attacker can read local files on the server, reach internal-only services, or trigger denial-of-service. It appears wherever untrusted XML is parsed with external entity resolution enabled.
Is XXE in the OWASP Top 10?
Yes. XXE was its own category (A4) in the OWASP Top 10 2017 and is now folded into A05:2021 Security Misconfiguration, since insecure XML parser configuration is the root cause. It remains a high-impact class of bug in APIs, file-upload flows, and any service that accepts XML.
How do you exploit XXE?
An attacker submits XML that defines an external entity pointing at a resource the server can reach — for example a local file path or an internal URL — and references that entity inside the document. When the server parses it with external entities enabled, the resolved content is reflected back or acted upon. In the LedgerFlow lab you practice this end to end against a live target.
What is the difference between XXE and SSRF?
SSRF tricks a server into making requests to unintended destinations. XXE is an XML-parsing flaw — but an XXE can be used to perform SSRF, because an external entity can point at an internal URL. They are distinct vulnerability classes that frequently chain together, which is exactly what Room 9 demonstrates after Room 8's dedicated SSRF lab.
Can an automated scanner detect XXE?
Scanners are excellent at mapping attack surface — open ports, forbidden paths, exposed files — but XXE is interaction-based and often invisible to passive scanning, because triggering it requires submitting a crafted payload and observing server-side behavior. PhantomRed maps the surface automatically; the human closes the gap with targeted exploitation. That workflow is the core lesson of the room.
How do you prevent XXE?
Disable DTD processing and external entity resolution in your XML parser — this is the default in modern libraries and should stay off. Prefer less complex data formats like JSON where possible, validate and sanitize XML input, and keep parser libraries patched. The vulnerability almost always comes from explicitly re-enabling dangerous parser flags.
// Related

Related Rooms & Guides

// Get Started

Practice XXE Against a Live Target

The LedgerFlow lab is live and free to play. Run a real autonomous scan, then exploit the XXE the scanner can't see — file read and SSRF pivot, end to end.

⚡ Open the XXE Lab Start a Free Scan →