-
Book Overview & Buying
-
Table Of Contents
Hands-On Application Penetration Testing with Burp Suite
By :
The XML issues need that the request accepts XML, so we need this information in the header's content-type, as follows:
text/xmlapplication/xml
We can configure a filter in Burp Suite to detect requests that have this information in the headers. To configure the filter, go to the Target tool, and then click on the Filter bar. Once there, select the XML file format, and if you want, write the content-type string that we know all requests need to have, as shown in the following screenshot:

After filtering the request that could be vulnerable, add common testing strings as a payload list in the Intruder tools, as with the past vulnerabilities, and launch them to all the potential requests. For example, one of the most common strings to detect XXE is the following:
<!ENTITY % three SYSTEM "file:///etc/passwd">
When the file appears in the response, it means that you have detected a vulnerability. I recommend the use of the next cheat sheet created by...
Change the font size
Change margin width
Change background colour