XXE
XXE Payload Generator
docx · xlsx · pdf · oob · ssrf · blind
← All Tools
Output Format
DOCX
XLSX
PDF
Raw XML
Payload Type
Vector
File Read (in-band)
OOB Exfiltration (parameter entities)
SSRF
Blind Ping (confirm XXE)
Billion Laughs (DoS)
⚠ Documents don't return entity values inline — use OOB for file exfiltration.
Target File / URL
Attacker URL (no trailing slash)
Injection Scope
⬇ Generate & Download
Injected DOCTYPE
editable
Copy
Reset
evil.dtd — host this on your server
Copy & Download
Archive Contents