AppSec Tales XX — E

Application Security Testing for XML eXternal Entity injections.

INTRODUCTION

The article describes how to test the application to find XXE injection vulnerabilities. The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• Bug bounty reports
• Own experience.

TOOLING

BURP SUITE PRO EXTENSIONS

• Burp Suite Professional — automatic scanner.
• Burp Bounty Pro — additional automated scanning capabilities.

Source: Own study — Using Burp Bounty Pro tag scanning capabilities.

WORDLIST

• XXE_manual— wordlist contains XXE payloads for manual work only.

GUIDELINES

In the below guidelines, I assume that you identified the application entry points described in the AppSec Tales XI | Input Validation: