This document discusses XML External Entity (XXE) vulnerabilities. It begins with an introduction of XML and DTDs. It then explains how XML entities work and how XML is parsed. It outlines several attack vectors for XXE vulnerabilities, including denial of service, local file inclusion and internal port scanning. It also provides examples of the billion laughs attack and how to exploit XXE vulnerabilities in JSON endpoints by changing the content type. The document concludes with recommendations for preventing XXE issues like validating user input, disabling external DTD fetching and external entity parsing.