Application Security Testing for XML eXternal Entity injections.
The article describes how to test the application to find XXE injection vulnerabilities. The advice in this article is based on the following:
- OWASP Web Security Testing Guide
- OWASP Application Security Verification Standard
- Bug bounty reports
- Own experience.
BURP SUITE PRO EXTENSIONS
- Burp Suite Professional — automatic scanner.
- Burp Bounty Pro — additional automated scanning capabilities.
- XXE_manual— wordlist contains XXE payloads for manual work only.
In the below guidelines, I assume that you identified the application entry points described in the AppSec Tales XI | Input Validation:
The below table shows an overview of the guidelines:
XXE injections can be found in any part of an HTTP body. However, they often occur in POST request with Content-Type: application/xml .
I. XML IDENTIFICATION — CONTENT & SCHEMA
Begin with a basic XML request to see how the application processes it.
- Use a basic XML format without external entities and content type specifications to ensure correct handling by the application.