Injection: XXE Injection¶

Identifier: xxe

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

XXE vulnerabilities occur when XML parsers process external entities, allowing attackers to access sensitive files or make requests to internal resources, potentially reading confidential data or executing malicious code.

How we test: We inject XXE payloads containing external entity references into XML requests and analyze responses to detect if external entities are processed. We test for various XXE attack vectors including file disclosure, SSRF, and denial of service attacks.

Execution conditions (BLST):

Runs when this test is enabled.
Coverage must not be SERVER_UNREACHABLE, TIMEOUT, RATE_LIMIT, UNAUTHORIZED, REDIRECTION, or GENERIC_ERROR.
Either request or response Content-Type must include application/xml.

References:

http://projects.webappsec.org/XML-External-Entities

Configuration¶

Example¶

Example configuration:

---
security_tests:
  xxe:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.