Need help with xxeserv?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

253 Stars 43 Forks 12 Commits 1 Opened issues


A mini webserver with FTP support for XXE payloads

Services available


Need anything else?

Contributors list

# 2,456
1 commit
# 103,945
1 commit


Basic FTP server to receive payloads from instances of XXE. This will record all data received and respond in a manner which ensures the client keeps sending data. This will keep listening until you shut it down, allowing for multiple XXE file retreivals via FTP. Java connections shouldn't hang connecting to this either.

Has a unique "uno port" option, where everything is served from one port. This means you can serve HTTP/HTTPS/FTP over a single port. When a connection is received, the server will work out which protocol was requested, and handle it accordingly. This is not flawless, but works in most cases.

For more info, see the blog-post:


Built for Linux, so use

./xxeserv -p 2121

There are multiple modes. The server can host both FTP and HTTP, thus making it capable of serving the DTD and receiving the FTP payload.

To start the web-server (off by default) use

./xxeserv -w

To change the web-port, use


To Change the FTP port, use


The DTD is served out of the CWD by default. To change, use


To save the data received via FTP to file, use

-o filename
. The file will be created if it doesn't exist.
./xxeserv --help 
Usage of ./xxeserv:
  -o string
        File location to log to
  -p int
        Port to listen on (default 2121)
  -uno int
        Global port to listen on (default 5000)
  -w    Setup web-server for DTDs
  -wd string
        Folder to server DTD(s) from (default "./")
  -wp int
        Port to serve DTD on (default 2122)
  -wps int
        SSL Port to serve DTD on (default 2123)

To build:

go build

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.