Can this skill test for blind XXE?

Yes, it includes detailed workflows for out-of-band (OOB) detection using tools like Burp Collaborator or interactsh when the server does not return direct output in the response.

What is XXE injection?

XML External Entity (XXE) injection is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data, often leading to unauthorized file disclosure or SSRF.

What tools are required for these workflows?

The workflows leverage common security tools including Burp Suite Professional, XXEinjector, and out-of-band interaction servers for comprehensive vulnerability verification.

Does this work with file uploads?

Absolutely. It provides specialized steps for testing XML-based files such as SVG images and Office documents (DOCX/XLSX) for hidden XXE vulnerabilities within the file structure.

XXE Injection Testing

Name: XXE Injection Testing
Author: micsapp

bymicsapp

0•

보안 및 테스팅

Identifies and exploits XML External Entity (XXE) vulnerabilities to detect server-side file access, SSRF, and data exfiltration.

This skill provides a comprehensive methodology for discovering and testing XXE injection vulnerabilities during authorized security assessments. It guides users through identifying XML processing points, crafting payloads for local file retrieval, performing blind XXE with out-of-band detection, and leveraging XML parsers for Server-Side Request Forgery (SSRF). By providing standardized workflows for various file formats like DOCX and SVG, it helps security professionals and developers identify and remediate critical OWASP-category security misconfigurations in XML-processing applications.

주요 기능

01Automated identification of XML processing endpoints and SOAP web services

02Blind XXE detection using out-of-band (OOB) techniques and external DTD hosting

030 GitHub stars

04Vulnerability testing for XML-based file formats including SVG, DOCX, and XLSX

05SSRF exploitation workflows for cloud metadata access and internal port scanning

06Payload generation for local file retrieval and PHP filter base64 encoding

사용 사례

01Testing for blind XXE vulnerabilities where direct output reflection is suppressed

02Verifying the security of XML parsers in enterprise applications and configuration managers

03Conducting authorized penetration tests on applications using SOAP APIs or XML-based file uploads

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills testing-for-xxe-injection-vulnerabilities

For use in Claude.ai and ChatGPT

주요 기능

01Automated identification of XML processing endpoints and SOAP web services

02Blind XXE detection using out-of-band (OOB) techniques and external DTD hosting

030 GitHub stars

04Vulnerability testing for XML-based file formats including SVG, DOCX, and XLSX

05SSRF exploitation workflows for cloud metadata access and internal port scanning

06Payload generation for local file retrieval and PHP filter base64 encoding

사용 사례

01Testing for blind XXE vulnerabilities where direct output reflection is suppressed

02Verifying the security of XML parsers in enterprise applications and configuration managers

03Conducting authorized penetration tests on applications using SOAP APIs or XML-based file uploads

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills testing-for-xxe-injection-vulnerabilities

For use in Claude.ai and ChatGPT