Member-only story
AppSec Tales XX — E
5 min readSep 17, 2023
Application Security Testing for XML eXternal Entity injections.
INTRODUCTION
The article describes how to test the application to find XXE injection vulnerabilities. The advice in this article is based on the following:
- OWASP Web Security Testing Guide
- OWASP Application Security Verification Standard
- Bug bounty reports
- Own experience.
TOOLING
BURP SUITE PRO EXTENSIONS
- Burp Suite Professional — automatic scanner.
- Burp Bounty Pro — additional automated scanning capabilities.
WORDLIST
- XXE_manual— wordlist contains XXE payloads for manual work only.
GUIDELINES
In the below guidelines, I assume that you identified the application entry points described in the AppSec Tales XI | Input Validation: