> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# XML External Entity

> Cross-platform resources for XML External Entity: curated HTB machines, PortSwigger labs and TryHackMe rooms with validated writeups and related skills.

# XML External Entity

This page aggregates **cross-platform resources to practice XML External Entity**: retired Hack The Box machines, PortSwigger Web Security Academy labs and TryHackMe rooms, plus curated resources (HackTricks, PortSwigger, etc.) and related skills.

## Curated resources

| Source     | Link                                                                                                                                                               |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| HackTricks | [https://book.hacktricks.wiki/en/pentesting-web/xxe-xee-xml-external-entity.html](https://book.hacktricks.wiki/en/pentesting-web/xxe-xee-xml-external-entity.html) |

## HTB machines practicing XML External Entity (6)

| Machine                                                   | OS      | Difficulty                                           |
| --------------------------------------------------------- | ------- | ---------------------------------------------------- |
| [Aragog](/en/htb/machines/linux/medio/aragog)             | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [BountyHunter](/en/htb/machines/linux/facil/bountyhunter) | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [DevOops](/en/htb/machines/linux/medio/devoops)           | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Fulcrum](/en/htb/machines/linux/insano/fulcrum)          | Linux   | <span className="dbadge dbadge-insane">INSANE</span> |
| [NodeBlog](/en/htb/machines/linux/facil/nodeblog)         | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [RE](/en/htb/machines/windows/dificil/re)                 | Windows | <span className="dbadge dbadge-hard">HARD</span>     |

## PortSwigger labs practicing XML External Entity (9)

| Lab                                                                                                                                                           | Difficulty                                                 | Topic                     | Official                                                                                                             |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------- |
| [Exploiting XXE to perform SSRF attacks](/en/portswigger/labs/xxe/exploiting-xxe-to-perform-ssrf)                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)                                  |
| [Exploiting XXE to retrieve data by repurposing a local DTD](/en/portswigger/labs/xxe/blind-xxe-trigger-error-message-by-repurposing-local-dtd)               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)        |
| [Exploiting XXE using external entities to retrieve files](/en/portswigger/labs/xxe/exploiting-xxe-to-retrieve-files)                                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)                                |
| [Blind XXE with out-of-band interaction](/en/portswigger/labs/xxe/blind-xxe-with-out-of-band-interaction)                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)                          |
| [Blind XXE with out-of-band interaction via XML parameter entities](/en/portswigger/labs/xxe/blind-xxe-with-out-of-band-interaction-using-parameter-entities) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities) |
| [Exploiting blind XXE to exfiltrate data using a malicious external DTD](/en/portswigger/labs/xxe/blind-xxe-with-out-of-band-exfiltration)                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)                         |
| [Exploiting blind XXE to retrieve data via error messages](/en/portswigger/labs/xxe/blind-xxe-with-data-retrieval-via-error-messages)                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)                |
| [Exploiting XInclude to retrieve files](/en/portswigger/labs/xxe/xinclude-attack)                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/lab-xinclude-attack)                                                 |
| [Exploiting XXE via image file upload](/en/portswigger/labs/xxe/xxe-via-file-upload)                                                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | XXE (XML External Entity) | [Open](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)                                             |

## TryHackMe rooms practicing XML External Entity (4)

| Room                                                                   | Difficulty                                         | Type        | Access  | Official                                                 |
| ---------------------------------------------------------------------- | -------------------------------------------------- | ----------- | ------- | -------------------------------------------------------- |
| [Advent of Cyber 2024](/en/tryhackme/rooms/adventofcyber2024)          | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/adventofcyber2024)     |
| [GeoServer: CVE-2025-58360](/en/tryhackme/rooms/geoservercve202558360) | <span className="dbadge dbadge-easy">MEDIUM</span> | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/geoservercve202558360) |
| [NahamStore](/en/tryhackme/rooms/nahamstore)                           | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge   | 🟢 Free | [Open](https://tryhackme.com/room/nahamstore)            |
| [XXE Injection](/en/tryhackme/rooms/xxeinjection)                      | <span className="dbadge dbadge-easy">MEDIUM</span> | Walkthrough | 🔵 VIP  | [Open](https://tryhackme.com/room/xxeinjection)          |

## Related skills

* [/en/skills/lfi](/en/skills/lfi)
* [/en/skills/ssrf](/en/skills/ssrf)

***

← [Back to the full glossary](/en/glossary)

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"DefinedTerm","name":"XML External Entity","termCode":"xxe","inLanguage":"en","url":"https://rootea.es/en/skills/xxe","inDefinedTermSet":{"@type":"DefinedTermSet","name":"Tactical pentesting glossary","url":"https://rootea.es/en/glossary"}}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"HTB machines practicing XML External Entity","numberOfItems":6,"itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/en/htb/machines/linux/medio/aragog","name":"Aragog"},{"@type":"ListItem","position":2,"url":"https://rootea.es/en/htb/machines/linux/facil/bountyhunter","name":"BountyHunter"},{"@type":"ListItem","position":3,"url":"https://rootea.es/en/htb/machines/linux/medio/devoops","name":"DevOops"},{"@type":"ListItem","position":4,"url":"https://rootea.es/en/htb/machines/linux/insano/fulcrum","name":"Fulcrum"},{"@type":"ListItem","position":5,"url":"https://rootea.es/en/htb/machines/linux/facil/nodeblog","name":"NodeBlog"},{"@type":"ListItem","position":6,"url":"https://rootea.es/en/htb/machines/windows/dificil/re","name":"RE"}]}`}
</script>

*Last updated: 2026-05-09*
