Writeup — Exploiting XXE to Perform SSRF Attacks

📰 Medium · Cybersecurity

Learn how to exploit XML External Entity (XXE) vulnerabilities to perform Server-Side Request Forgery (SSRF) attacks, allowing access to internal addresses that are normally restricted.

advanced Published 18 Jun 2026
Action Steps
  1. Identify potential XXE vulnerabilities in XML parsing code
  2. Craft a malicious XML payload to exploit the XXE vulnerability
  3. Use the XXE vulnerability to force the server to send a request to an internal address
  4. Analyze the server's response to determine the success of the SSRF attack
  5. Apply this knowledge to improve the security of your own systems and protect against similar attacks
Who Needs to Know This

This article is relevant to cybersecurity teams, particularly those focused on penetration testing and vulnerability assessment, as it provides a detailed example of how to exploit XXE vulnerabilities to gain unauthorized access to internal systems.

Key Insight

💡 XXE vulnerabilities can be used to perform SSRF attacks, allowing attackers to access internal addresses that are normally restricted.

Share This
🚨 Exploit XXE vulnerabilities to perform SSRF attacks and gain access to internal addresses! 🚨

Key Takeaways

Learn how to exploit XML External Entity (XXE) vulnerabilities to perform Server-Side Request Forgery (SSRF) attacks, allowing access to internal addresses that are normally restricted.

Full Article

Title: Writeup — Exploiting XXE to Perform SSRF Attacks

URL Source: https://medium.com/@pradityaarga80/writeup-exploiting-xxe-to-perform-ssrf-attacks-0acb24d902df?source=rss------cybersecurity-5

Published Time: 2026-06-18T15:55:40Z

Markdown Content:
# Writeup — Exploiting XXE to Perform SSRF Attacks | by praditya arga | Jun, 2026 | Medium

[Sitemap](https://medium.com/sitemap/sitemap.xml)

[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)

Sign up

[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmedium.com%2F%40pradityaarga80%2Fwriteup-exploiting-xxe-to-perform-ssrf-attacks-0acb24d902df&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)

Get app

[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)

[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)

Sign up

[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmedium.com%2F%40pradityaarga80%2Fwriteup-exploiting-xxe-to-perform-ssrf-attacks-0acb24d902df&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

![Image 1: Unknown user](https://miro.medium.com/v2/resize:fill:32:32/1*dmbNkD5D-u45r44go_cf0g.png)

# Writeup — Exploiting XXE to Perform SSRF Attacks

[![Image 2: praditya arga](https://miro.medium.com/v2/da:true/resize:fill:32:32/0*DBkceWv08_lDOrkI)](https://medium.com/@pradityaarga80?source=post_page---byline--0acb24d902df---------------------------------------)

[praditya arga](https://medium.com/@pradityaarga80?source=post_page---byline--0acb24d902df---------------------------------------)

Follow

4 min read

·

1 hour ago

[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2F0acb24d902df&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40pradityaarga80%2Fwriteup-exploiting-xxe-to-perform-ssrf-attacks-0acb24d902df&user=praditya+arga&userId=af1c2aa22c4e&source=---header_actions--0acb24d902df---------------------clap_footer------------------)

[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Frepost%2Fp%2F0acb24d902df&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40pradityaarga80%2Fwriteup-exploiting-xxe-to-perform-ssrf-attacks-0acb24d902df&user=praditya+arga&userId=af1c2aa22c4e&source=---header_actions--0acb24d902df---------------------repost_header------------------)

[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2F0acb24d902df&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40pradityaarga80%2Fwriteup-exploiting-xxe-to-perform-ssrf-attacks-0acb24d902df&source=---header_actions--0acb24d902df---------------------bookmark_footer------------------)

[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3D0acb24d902df&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40pradityaarga80%2Fwriteup-exploiting-xxe-to-perform-ssrf-attacks-0acb24d902df&source=---header_actions--0acb24d902df---------------------post_audio_button------------------)

Share

This lab shows how an XML External Entity (XXE) vulnerability can be used to perform Server-Side Request Forgery (SSRF). Unlike the previous XXE exploit that was used to read local files on the server, this time the external entity is used to force the server to send a request to an internal address that regular users shouldn’t be able to access.

Press enter or click to view image in full size

![Image 3](https://miro.medium.com/v2/resize:fit:700/1*DCNGfLPldusZyT_WC7rbog.png)

Pr
Read full article → ← Back to Reads

Related Videos

AI Found ALL Vulnerabilities - Release Delayed!
AI Found ALL Vulnerabilities - Release Delayed!
Pranjal
Is your free email putting your bank account at risk? #Podcast #Interview #Efani #BankAccounts
Is your free email putting your bank account at risk? #Podcast #Interview #Efani #BankAccounts
efani
Photo Metadata Exposure Explained
Photo Metadata Exposure Explained
efani
Hackers, Scammers & Surveillance: The 3 Biggest Threats to Your Privacy | Ep. 26
Hackers, Scammers & Surveillance: The 3 Biggest Threats to Your Privacy | Ep. 26
efani
How to Detect and Block Canvas Fingerprinting
How to Detect and Block Canvas Fingerprinting
efani
Is your email account actually secure? Here’s a simple fix. #podcast #interview #efani #security
Is your email account actually secure? Here’s a simple fix. #podcast #interview #efani #security
efani