wstg icon indicating copy to clipboard operation
wstg copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Add Testing for XML External Entity (XXE) Weaknesses

Open itscooper opened this issue 7 years ago • 15 comments

itscooper avatar Jun 15 '17 11:06 itscooper

XXE has a small section or two included in v4: https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008)

kingthorin avatar May 29 '18 19:05 kingthorin

Ref: https://twitter.com/PortSwigger/status/1133707942329552898 → https://portswigger.net/web-security/xxe/

kingthorin avatar May 29 '19 12:05 kingthorin

Hi Team, I will share the draft shortly on this.

Thank you Vandana

vermava avatar Aug 20 '19 19:08 vermava

@vermava hello! I'd prefer that you tackle an issue at a time. Which one would you like to take care of first?

ThunderSon avatar Aug 20 '19 19:08 ThunderSon

I can pick this one up, we already have a small lab for this, i will improve the write-up to be more worthy and have more detailed explanation. After that i can include it in the testing guide :-)

Lab is found here: https://owasp-skf.gitbook.io/asvs-write-ups/kbid-6-xxe

RiieCco avatar Jan 11 '20 20:01 RiieCco

@vermava any luck putting something together as you mentioned earlier?

kingthorin avatar Apr 28 '20 11:04 kingthorin

@vermava any luck putting something together as you mentioned earlier?

kingthorin avatar Jun 14 '20 11:06 kingthorin

There are blackbox & whitebox approaches to test the XXE. For a large scale projects, it's recommended to do whitebox source review based on specific API. Refer to my previous work XXE CheatSheet. Let me know if I can do any help to add any contents for the testing guide.

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Hsiang-Chih avatar Jun 17 '20 10:06 Hsiang-Chih

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Aug 15 '20 00:08 github-actions[bot]

@vermava @RiieCco any news on this?

kingthorin avatar Nov 10 '20 20:11 kingthorin

@kingthorin I would like to work on this.

DotDotSlashRepo avatar Jan 02 '21 18:01 DotDotSlashRepo

Go for it 👍

kingthorin avatar Jan 02 '21 21:01 kingthorin

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Apr 15 '21 02:04 github-actions[bot]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Jun 15 '21 00:06 github-actions[bot]

https://github.com/OWASP/wstg/blob/ede0735edb3ac674137f2176ae5ff96e3d134bcd/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md

kingthorin avatar Feb 08 '22 12:02 kingthorin