An XML external entity (XXE) attack is one that can take place against an application that parses XML input. When XML input contains a reference to an external entity and is then processed by an XML parser that has not been configured appropriately, the application is vulnerable to this attack.

Denial of service (DoS), the disclosure of sensitive data, and Server-Side Request Forgery (SSRF) are all possible with an XXE attack. One type of DoS attack that is made possible with XXE is called a billion laughs attack. Sometimes this type of attack is referred to as an XML bomb or an exponential entity expansion attack.

Regardless of the name, it works by defining ten entities, the first of which is simply defined ...