An XML External Entity file generator for security testing.

Created by @bbuerhaus and @nahamsec

How to use it

  1. Select a file format: docx or xlsx
  2. Click the Generate File button.
  3. Select the URL to download the file generated.
  4. Open up the listener.php link.
  5. Upload the docx or xlsx file to a website.
  6. Refresh the listener.php page and see if it made an external entity request.
  7. If the listener updated: it's vulnerable to XXE.


If you opt to change the listener URL, the generated XXE document is going to make a request to whatever URL you specify. Just make sure you have request logs or a logger sitting at the URL you specify.

XXE File


Attack Type: