XML is a format used to send and receive information, and External Entity Injection (XXE) occurs when XML is provided as user input and processed on the server in a way that parses external entities, allowing attackers to exploit vulnerabilities such as reading arbitrary local files, achieving Server-Side Request Forgery (SSRF), Denial of Service (DoS), and Remote Code Execution (RCE). XXE can be exploited through various methods including parsing Microsoft Office files, RSS feed parsers, SAML Authentication, HTML parsing, and functionality that parses sitemap.xml or SVG files. Exploitation methods include arbitrary file read on Windows, remote code execution, server-side request forgery via XXE, and the Billion Laughs Attack, which causes a denial of service by exhausting the system's resources with an exponentially growing string of "lol"s. XXE exploitation requires understanding XML entities and how they can be used to inject malicious payloads into applications that parse XML user input.