Need help with xxe-recursive-download?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

222 Stars 86 Forks GNU General Public License v2.0 3 Commits 0 Opened issues

Services available


Need anything else?

Contributors list


This tool exploits XXE to retrieve files from a target server. It obtains directory listings and recursively downloads file contents.


The script has to be slightly modified to work with different web sites / web services: * Set

according to your target * Change the XML data and the URL of your evil.dtd in the
* Modify the
method to parse the file content from the response. * For https: Change the
method to use

Also, make sure you make the DTD

available to the server:
python -m SimpleHTTPServer 5678
python -h
usage: [-h] path [path ...]

Retrieves files via XXE

positional arguments: path path(s) to the retrieve (e.g. /etc/)

optional arguments: -h, --help show this help message and exit

Vulnerable Example Web Service

The files in

contain a sample vulnerable RESTful web service written in Java using Jersey (inspired by [1]).

To compile and run it using maven run:

mvn jetty:run


The JSON and XML files in

can be used to debug the web service with curl:
curl -v -H "Content-Type:application/json" --upload-file initial.json http://localhost:8080/api/user
curl -v -H "Content-Type:application/xml" --upload-file cdata.xml http://localhost:8080/api/user


We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.