XML external entity attack
An XML External Entity (XXE) attack[1] is a type of computer security vulnerability typically found in Web applications. XXE enables attackers to disclose normally protected files from a server or connected network.
The XML standard includes the idea of an external general parsed entity (an external entity). During parsing of the XML document, the parser will expand these links and include the content of the URI in the returned XML document.
Example external entity attack:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY xxeattack SYSTEM "file:///etc/passwd"> ]> <xxx>&xxeattack;</xxx>