XML Attacks: Denial of Service SOAP Attacks
XML Attacks: Denial of Service SOAP Attacks
Twitter: @harshbothra_
https://www.ws-attacks.org/SOAPAction_ https://harshbothra.tech
SOAP Action Spoofing Billion Laugh Attack
Spoofing
XML Entity Expansion Quadratic Blowup Attack
https://www.ws-attacks.org/Replay_Attack Replay Attacks
https://www.ws-attacks.org/XML_
Signature_%E2%80%93_XSLT_Code_ XSLT Code Execution http://projects.webappsec.org/w/page/
Execution 13247005/XPath%20Injection#:~:text=
XPath%20Injection%20is%20an%20attack,
https://www.ws-attacks.org/XML_ query%20or%20navigate%20XML%
XML Signature - Key Retrieval XSA (Cross 20documents.
Signature_-_Key_Retrieval_XSA_(Cross_Site_
Site Attack)
Attack)
XPATH Injection https://www.soapui.org/docs/security-
XML Signature Exclusion XML Signature Attacks testing/security-scans/xpath-injection/
C14N DOS
Denial of Service
http://projects.webappsec.org/w/page/
XSLT DOS 13247004/XML%20Injection
Transformation DOS
XPATH DOS https://owasp.org/www-project-web-
security-testing-guide/latest/4-Web_
https://www.ws-attacks.org/XML_ XML Injection Application_Security_Testing/07-Input_
Signature_%E2%80%93_Transformation_DOS Validation_Testing/07-Testing_for_XML_
Injection
https://research.cs.wisc.edu/mist/
https://www.ws-attacks.org/Attack_ SoftwareSecurityCourse/Chapters/3_8_4-
Attack Obfuscation
Obfuscation XML-Injections.pdf
WSDL Spoofing
DOCEM (https://github.com/whitel1st/docem)
https://github.com/OWASP/
CheatSheetSeries/blob/master/cheatsheets/
Simple Payload Processing
XML_Security_Cheat_Sheet.md
General/Classical XXE
https://www.ws-attacks.org/ XML Attacks Base64 Payload Processing
data://
https://www.slideshare.net/ssuserf09cba/
xxe-how-to-become-a-jedi
phar://
https://github.com/swisskyrepo/
PayloadsAllTheThings/tree/master/XXE% rar://
20Injection XXE with Wrappers
php://
https://cheatsheetseries.owasp.org/
cheatsheets/XML_External_Entity_Prevention_
References
expect://
Cheat_Sheet.html
Can result into RCE
https://github.com/omurugur/XXE_Payload_
List Xincludes based XXE
https://gosecure.github.io/xxe-workshop/#0 SSRF