XXE is an attack against an application that parses XML input
XML input containing reference to an external entity (file path or URL, for example) is processed by a misconfigured XML parser
The attack can cause DoS, SSRF, disclosure of sensitive data, RCE, LFI, port scanning and internal network mapping, etc.
Extend XML file can load local files and external URLs
Can lead to LFI and RCE, causing a higher impact

XML - External Markup Language

XML allows people to create documents easily read both by computers and humans
The contents of XML are kept inside and tags
Usually characters are escaped:
- < -> <
- > --> >
- & --> &
- ' --> '
- " --> &quote;
However, it is still possible to perform XXE without these chars
A misconfigured parser might allow a malicious user to input a file path instead of a string. The parser can display the contents of the file.

LFI via XXE

<!ENTITY body "Example here" >

can be changed to:

<!ENTITY body SYSTEM "file:///etc/passwd" >

Some parses might display contents of /etc/passwd

If you replace "file://" with "http://...", the server might request the URL. This can result in a SSRF.

The attacker can request internal web servers, scan for open ports and map the internal network.'

1) LFI

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

2.SSRF

<!ENTITY xxe SYSTEM "https://www.test.com" >]>

3. DoS (uploading a endless file)

<!ENTITY xxe SYSTEM "file:///dev/random" >]>