# XXE
## XInclude in XXE attack
```
```
```
Oops!
```
**Mitigation:** If possible disable XML extensions and entities expansion. Add proper rules for XML extensions that enable this same attack like XInclude and xop.
{% embed url="" %}
## XXE payloads
### Ping
```
%ext;
]>
```
### File disclosure
```
]>
```
```
]>
John
&ent;
```
### Denial of Service
```
&lol9;
```
## Resources
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}