XML or Extensible Markup Language is a markup language which was designed for data transfer between two heterogeneous environments/ platforms and it is both human-readable and machine-readable.

This attack revolves around the scenario where a web application that parses XML input which can reference an external entity, attempting to exploit a vulnerability in the parser.

An ‘external entity’ in this scenario refers to a storage unit such as a hard drive or server / drive shared over the network. An XML parser can be hacked into sending data to that unauthorized external entity, which can pass sensitive data directly to an attacker.

XXE takes advantage of the XML parsers in a web application that eventually process and execute some payload included as an external reference in the XML document which is supposed to be parsed.