xxe

star 4.3k

Hunt XML External Entity flaws in parsers and validate file read / SSRF impact with strict negative controls.

PurpleAILAB By PurpleAILAB schedule Updated 6/2/2026
play_arrow Run Skill in Manus View GitHub

name: xxe description: Hunt XML External Entity flaws in parsers and validate file read / SSRF impact with strict negative controls. metadata: subdomain: web-exploitation when_to_use: "xxe xml external entity parser file read ssrf cwe-611 dtd parameter entity blind oob"

XXE Playbook

Find parser sinks

  • Java: DocumentBuilderFactory, SAXParserFactory, XMLInputFactory
  • Python: lxml.etree, xml.dom.minidom, xml.sax
  • .NET: XmlDocument, XDocument, XmlReader

Dangerous defaults

  • DTD enabled
  • External entities enabled
  • Network/file entity resolution enabled

Payloads

  • File read: entity to file:///etc/passwd
  • SSRF: entity to internal URL (metadata service, localhost admin)

Validation

  • Positive: parser output contains file content or internal response markers.
  • Negative: same XML without entity expansion must not leak content.
Install via CLI
npx skills add https://github.com/PurpleAILAB/Decepticon --skill xxe
Repository Details
star Stars 4,323
call_split Forks 860
navigation Branch main
article Path SKILL.md
Occupations
Web Developers
More from Creator
PurpleAILAB
PurpleAILAB Explore all skills →