JESS' SECURITY QUEST
OWASP TOP 10 View Guide

XML External Entities (XXE) Challenges

OWASP A05:2021 - Security Misconfiguration (XXE)
XXE vulnerabilities occur when XML parsers are configured to process external entity references. Attackers can exploit this to read files, perform SSRF attacks, and exfiltrate data.
Beginner Basic XXE

Learn the fundamentals of XXE injection. Use external entity declarations to read local files from the server's file system.

  • Points: 100
  • Estimated Time: 15 minutes
  • Skills: XML parsing, file retrieval
Start Challenge
Easy Blind XXE

When XXE doesn't return data directly, use out-of-band techniques to exfiltrate information via DNS or HTTP callbacks.

  • Points: 150
  • Estimated Time: 20 minutes
  • Skills: OOB exfiltration, parameter entities
Start Challenge
Medium XXE to SSRF

Leverage XXE to perform Server-Side Request Forgery (SSRF). Access internal services, cloud metadata endpoints, and private APIs.

  • Points: 200
  • Estimated Time: 25 minutes
  • Skills: SSRF, internal recon, cloud metadata
Start Challenge

Learning Resources

Understanding XXE Attacks

XML External Entity (XXE) injection is a vulnerability that targets applications parsing XML input. When XML parsers are misconfigured to process external entities, attackers can:

  • Read Local Files: Access /etc/passwd, configuration files, source code
  • Perform SSRF: Make requests to internal services
  • Exfiltrate Data: Send file contents to attacker-controlled servers
  • Denial of Service: "Billion Laughs" attack through entity expansion
XXE Payload Structure
<?xml version="1.0"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
Key Concepts
  • DOCTYPE: Document type declaration that can contain entity definitions
  • ENTITY: Defines reusable content (like variables in XML)
  • SYSTEM: Keyword indicating external resource (file or URL)
  • Parameter Entities (%): Special entities used within DTD declarations
Prevention Techniques
  • Disable DTDs: Completely disable DOCTYPE declarations
  • Disable External Entities: Configure parser to reject external entities
  • Use Safe Parsers: Use libraries that don't process entities by default
  • Input Validation: Validate and sanitize XML input
  • Use JSON: Consider JSON instead of XML where possible
External Resources
An error has occurred. This application may no longer respond until reloaded. Reload Dismiss