XML EXTERNAL ENTITY / XXE
defined.

What is XML External Entity (XXE)?

If your application accepts XML and the parser resolves external entities (the default in some libraries), an attacker can include <!ENTITY xxe SYSTEM "file:///etc/passwd"> and read arbitrary files.

Defence: disable DOCTYPE / external entity processing in every XML parser you use. Most libraries (libxml2, Java DocumentBuilderFactory, .NET XmlReader) require explicit configuration.

Related terms.

• SQL Injection
• Server-Side Request Forgery (SSRF)
• Remote Code Execution (RCE)
• Server-Side Template Injection (SSTI)

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.