# XML Entity Injecton (XXE)

**Articles / Blogs:**

* <http://www.christian-schneider.net/GenericXxeDetection.html> <https://medium.com/@asif.baig330/lithium-community-platform-xxe-vulnerability-6454dd9377f8>
* &#x20;<https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870> <https://blog.zsec.uk/out-of-band-xxe-2/>&#x20;
* <https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi>
* <https://blog.netspi.com/playing-content-type-xxe-json-endpoints/>
* <https://hawkinsecurity.com/2018/03/24/gaining-filesystem-access-via-blind-oob-xxe/>
* [https://versprite.com/blog/xml-external-entity-xxe-processing/utm\_content=73970973\&utm\_medium=social\&utm\_source=twitter](https://versprite.com/blog/xml-external-entity-xxe-processing/?utm_content=73970973\&utm_medium=social\&utm_source=twitter)
* <http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html>
* <https://medium.com/@jonathanbouman/xxe-at-bol-com-7d331186de54>
* <https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation>
* <https://securityidiots.com/Web-Pentest/XXE/XXE-Cheat-Sheet-by-SecurityIdiots.html>
* <https://www.exploit-db.com/docs/english/45374-xml-external-entity-injection---explanation-and-exploitation.pdf>
* &#x20;<https://2017.zeronights.org/wpcontent/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf>
* <https://github.com/BuffaloWill/oxml_xxe>
* <https://0xgaurang.medium.com/out-of-band-xxe-in-an-e-commerce-ios-app-e22981f7b59b>
* <https://blog.cobalt.io/how-to-execute-an-xml-external-entity-injection-xxe-5d5c262d5b16>
* <https://f4d3.io/xxe_wild/>
* <https://github.com/GoSecure/dtd-finder/blob/698fd678f26395e1c7c097525f7182aecad0cd5f/list/xxe_payloads.md>
* <https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html>
* <https://www.youtube.com/watch?v=LZUlw8hHp44>
* <https://faun.pub/xxe-attacks-750e91448e8f>
* <https://estebancano.medium.com/unique-xxe-to-aws-keys-journey-afe678989b2b>
* <https://smoggy-mozzarella-076.notion.site/XXE-9d5d3f12a5c4487e82fddf564d792fcd>
* <https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe>

**Tools / Payloads:**

**Twitter:**

* <https://twitter.com/huntmost/status/1216033868773580800>
* <https://twitter.com/soaj1664ashar/status/1080877419723194370>
* <https://twitter.com/honoki/status/1301092916551659522>
* <https://twitter.com/Bugcrowd/status/1342184648856616972?s=20>
* <https://twitter.com/harshbothra_/status/1350891025032646656?s=20>

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-Mj8AmJLxhrN-eDpqfhN%2F-Mj8Aq9zWE0GmXbQvcLy%2Fimage.png?alt=media\&token=70abefb0-a7da-44de-ab54-d066dbff6d6c)

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-Mj8AmJLxhrN-eDpqfhN%2F-Mj8Atq0IXlWqDWU2W7j%2Fimage.png?alt=media\&token=21deeeff-1c82-4b7a-8762-aee135201e00)

{% embed url="<https://twitter.com/0xCyberPirate/status/1393965129218224128?s=20>" %}

{% embed url="<https://twitter.com/infosec_au/status/1344508325703008256?s=20>" %}

{% embed url="<https://twitter.com/naman_1910/status/1397865202868133889?s=20>" %}

{% embed url="<https://twitter.com/Alra3ees/status/1403175322011512839?s=20>" %}

{% embed url="<https://twitter.com/honoki/status/1301092916551659522>" %}