AppSec Tales XX — E

Application Security Testing for XML eXternal Entity injections.

INTRODUCTION

The article describes how to test the application to find XXE injection vulnerabilities. The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• Bug bounty reports
• Own experience.

TOOLING

BURP SUITE PRO EXTENSIONS

• Burp Suite Professional — automatic scanner.
• Burp Bounty Pro — additional automated scanning capabilities.

Source: Own study — Using Burp Bounty Pro tag scanning capabilities.

WORDLIST

• XXE_manual— wordlist contains XXE payloads for manual work only.

GUIDELINES

In the below guidelines, I assume that you identified the application entry points described in the AppSec Tales XI | Input Validation:

AppSec Tales XI | Input Validation

The below table shows an overview of the guidelines:

Source: Own study — Guidelines overview.

XXE injections can be found in any part of an HTTP body. However, they often occur in POST request with Content-Type: application/xml .

I. XML IDENTIFICATION — CONTENT & SCHEMA

Begin with a basic XML request to see how the application processes it.

• Use a basic XML format without external entities and content type specifications to ensure correct handling by the application.