XXE Injection


The application is vulnerable to XXE injection.The XML standard defines entities which allow an XML parser to retrieve local or remote content via a declared system identifier. An improperly configured XML parser can enable an attacker to use XXE injection to define entities that are external to current XML document.  Allowing an attacker to control the source of content that is loaded into the XML document can lead to a number of attacks including the disclosure of sensitive information.


XXE injection is a serious vulnerability that allows attackers to access to files and directories outside the XML document. With arbitrary access to the file system, an attacker can access configuration data, passwords, log files, source code, intellectual property, or system files. Besides the disclosure of sensitive data, this attack may lead to a denial of service, enable malicious code execution, or allow the attacker to conduct a, port scan from the perspective of the machine where the parser is located.

Risk Rating


How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas



Subscribe here in order to gain access to the AppSec Findings Database


Leave a Reply