testing-for-xxe-injection-vulnerabilities

Featured

Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.

Testing & QA 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Testing for XXE Injection Vulnerabilities ## When to Use - During authorized penetration tests when the application processes XML input (SOAP APIs, file uploads, RSS feeds) - When testing APIs that accept `Content-Type: application/xml` or `text/xml` - For assessing XML parsers in file upload functionality (DOCX, XLSX, SVG, PDF) - When evaluating SOAP-based web services for entity injection - During security assessments of enterprise applications using XML configuration ## Prerequisites - **Authorization**: Written penetration testing agreement for the target - **Burp Suite Professional**: For intercepting and modifying XML requests - **XXEinjector**: Automated XXE exploitation tool (`git clone https://github.com/enjoiz/XXEinjector.git`) - **Out-of-band server**: Burp Collaborator or interactsh for blind XXE detection - **curl**: For manual payload crafting and submission - **Python**: For building DTD hosting server ## Workflow ### Step 1: Identify XML Processing Points Find all application endpoints that accept or process XML data. ```bash # Look for XML content types in Burp proxy history # Filter for: Content-Type: application/xml, text/xml, application/soap+xml # Test if JSON endpoints also accept XML # Original JSON request: curl -s -X POST \ -H "Content-Type: application/json" \ -d '{"search":"test"}' \ "https://target.example.com/api/search" # Try converting to XML: curl -s -X POST \ -H "Content-Type: application/xml" \ -d '<?xml version="1.0"?><...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

Testing & QA Featured

testing-for-xml-injection-vulnerabilities

Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks to identify data exposure and server-side request forgery risks.

12,642 Updated today
mukul975
Testing & QA Featured

testing-for-xss-vulnerabilities

Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing.

12,642 Updated today
mukul975
Testing & QA Featured

testing-for-xss-vulnerabilities-with-burpsuite

Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater tools during authorized security assessments.

12,642 Updated today
mukul975
Data & Documents Listed

sast-xxe

Detect XML External Entity (XXE) vulnerabilities in a codebase using a three-phase approach: recon (find XML parsing sites without external-entity hardening), batched verify (trace user input to each site in parallel subagents, 3 sites each), and merge (consolidate batch results). Requires sast/architecture.md (run sast-analysis first). Outputs findings to sast/xxe-results.md. Use when asked to find XXE or XML injection bugs.

0 Updated today
reasonless-throne486
Data & Documents Listed

xxe

Detect XML External Entity injection where XML parsers process untrusted input with external entity loading enabled, allowing file read or SSRF.

0 Updated today
Liaabnormal676