An XML parser with external entity resolution enabled. Supply a DOCTYPE that declares an entity pointing at a local file or internal HTTP endpoint — the parser resolves it and returns the contents in the response.
XXE occurs when an application parses XML that includes a DOCTYPE declaration defining external entities. If the parser follows SYSTEM references without restriction, an attacker can read local files via file://, trigger server-side requests via http://, or perform denial-of-service via recursive entity expansion. The fix is to disable DOCTYPE processing entirely.
| True Positive | Plain XML with no DOCTYPE or entity declarations — parses correctly |
| Bug Found | file:///etc/passwd — unsafe parser resolves the entity and leaks system user accounts |
| Bug Found | http://169.254.169.254/ — SSRF via XXE; parser makes outbound request to cloud metadata endpoint and injects the IAM credentials into the response |
| True Positive | Safe endpoint rejects any DOCTYPE declaration before entity resolution |
This endpoint parses the submitted XML using Python's standard xml.etree.ElementTree with no restrictions on DOCTYPE declarations or external entity resolution. Paste a payload or use a quick-test button.
This endpoint rejects any XML document that contains a DOCTYPE declaration before attempting to parse it. External entity resolution never takes place.
✓ DOCTYPE declarations rejected