web-xxe
CommunityDetect and exploit XXE vulnerabilities safely.
System Documentation
What problem does it solve?
XML External Entity (XXE) injection vulnerabilities allow attackers to read local files, reach internal services, exfiltrate data, and cause denial of service when XML parsers resolve entities. This Skill equips security testers with structured payloads, tooling guidance, and methodology to identify, validate, and chain XXE vectors across web apps and document processing pipelines.
Core Features & Use Cases
- Attack coverage: classic XXE file disclosure, blind XXE via OOB channels, error-based XXE, XXE to SSRF, parameter entity exploitation, and OOXML/XHTML vectors.
- World-wide applicability: SOAP/REST XML endpoints, XML-based file processing (SVG, OOXML documents), and cloud/internal services; supports multiple egress channels (HTTP, DNS, FTP) for exfiltration.
- Use Case: A security tester validates an XML-processing endpoint, identifies an in-band disclosure, and then pivots to OOB exfiltration to demonstrate impact and remediation needs.
Quick Start
Identify XML-processing endpoints (SOAP/REST with XML, XML file uploads) and test with a minimal XXE payload to confirm external entity resolution.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: web-xxe Download link: https://github.com/brucesongs/kali-claw/archive/main.zip#web-xxe Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 510,000+ vetted skills library on demand.