Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Testing for XML External Entity (XXE) Weaknesses #8

Open
itscooper opened this issue Jun 15, 2017 · 15 comments
Open

Add Testing for XML External Entity (XXE) Weaknesses #8

itscooper opened this issue Jun 15, 2017 · 15 comments
Assignees
@DotDotSlashRepo
Labels
good first issue revise Needs quality review, updates, or revision
Milestone
v4.3 Release

Comments

@itscooper
Copy link
Contributor

No description provided.

@kingthorin
Copy link
Collaborator

XXE has a small section or two included in v4:
https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008)

@kingthorin kingthorin added the new New content to write label Mar 27, 2019
@kingthorin
Copy link
Collaborator

kingthorin commented May 29, 2019
edited
Loading

Ref: https://twitter.com/PortSwigger/status/1133707942329552898
https://portswigger.net/web-security/xxe/

@kingthorin kingthorin added this to the Add New Testing Scenarios milestone Aug 18, 2019
@vermava
Copy link

vermava commented Aug 20, 2019

Hi Team, I will share the draft shortly on this.

Thank you
Vandana

@ThunderSon
Copy link
Collaborator

@vermava hello! I'd prefer that you tackle an issue at a time. Which one would you like to take care of first?

@ThunderSon ThunderSon added the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Sep 30, 2019
@rejahrehim rejahrehim mentioned this issue Oct 26, 2019
Merged
2 tasks
@kingthorin kingthorin removed the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Nov 4, 2019
@RiieCco
Copy link
Contributor

RiieCco commented Jan 11, 2020

I can pick this one up, we already have a small lab for this, i will improve the write-up to be more worthy and have more detailed explanation. After that i can include it in the testing guide :-)

Lab is found here:
https://owasp-skf.gitbook.io/asvs-write-ups/kbid-6-xxe

@victoriadrake victoriadrake removed this from the v4.x: Add New milestone Jan 22, 2020
@kingthorin
Copy link
Collaborator

@vermava any luck putting something together as you mentioned earlier?

@kingthorin kingthorin added this to the v4.2: Test Additions milestone Apr 28, 2020
@kingthorin
Copy link
Collaborator

@vermava any luck putting something together as you mentioned earlier?

@Hsiang-Chih
Copy link
Contributor

There are blackbox & whitebox approaches to test the XXE.
For a large scale projects, it's recommended to do whitebox source review based on specific API.
Refer to my previous work XXE CheatSheet. Let me know if I can do any help to add any contents for the testing guide.

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@kingthorin
Copy link
Collaborator

@vermava @RiieCco any news on this?

@DotDotSlashRepo
Copy link
Contributor

@kingthorin I would like to work on this.

@kingthorin
Copy link
Collaborator

Go for it 👍

@DotDotSlashRepo DotDotSlashRepo mentioned this issue Jan 12, 2021
Closed
2 tasks
@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@kingthorin kingthorin added the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Oct 1, 2021
@kingthorin kingthorin removed the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Nov 4, 2021
@kingthorin
Copy link
Collaborator

https://github.com/OWASP/wstg/blob/ede0735edb3ac674137f2176ae5ff96e3d134bcd/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md

@kingthorin kingthorin added revise Needs quality review, updates, or revision and removed new New content to write labels Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DotDotSlashRepo DotDotSlashRepo

Labels
good first issue revise Needs quality review, updates, or revision
Projects
None yet
Milestone
v4.3 Release
Development

No branches or pull requests
8 participants
@DotDotSlashRepo @kingthorin @itscooper @RiieCco @vermava @victoriadrake @ThunderSon @Hsiang-Chih