1. Denial of Service
    1. XML Entity Expansion
      1. Billion Laugh Attack
      2. Quadratic Blowup Attack
      3. Recursive Entity Reference
    2. XML Flooding
    3. Reference Redirect Attack
      1. Signature Redirect
      2. Encryption Redirect
  2. XPATH Injection
    1. http://projects.webappsec.org/w/page/13247005/XPath%20Injection#:~:text=XPath%20Injection%20is%20an%20attack,query%20or%20navigate%20XML%20documents.
    2. https://www.soapui.org/docs/security-testing/security-scans/xpath-injection/
    3. https://rhinosecuritylabs.com/penetration-testing/xpath-injection-attack-defense-techniques/
  3. XML Injection
    1. http://projects.webappsec.org/w/page/13247004/XML%20Injection
    2. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection
    3. https://research.cs.wisc.edu/mist/SoftwareSecurityCourse/Chapters/3_8_4-XML-Injections.pdf
  4. XML External Entities
    1. Tools
      1. XXEServe (https://github.com/joernchen/xxeserve)
      2. XXExploiter (https://github.com/luisfontes19/xxexploiter)
      3. XXEinjector (https://github.com/enjoiz/XXEinjector)
      4. 230-OOB (https://github.com/lc/230-OOB)
      5. OXML_XXE (https://github.com/BuffaloWill/oxml_xxe)
      6. DOCEM (https://github.com/whitel1st/docem)
    2. General/Classical XXE
      1. Simple Payload Processing
      2. Base64 Payload Processing
    3. XXE with Wrappers
      1. data://
      2. phar://
      3. rar://
      4. php://
      5. expect://
      6. Can result into RCE
    4. Xincludes based XXE
    5. Blind XXE
    6. XXE with Local DTD
    7. Error Based XXE
    8. Attack Chaining
      1. SSRF
      2. Local File Read
      3. Denial of Service
        1. Large File Retrieval
        2. Entity Reference Attack
      4. Windows Share Stealing
      5. Remote Code Execution
      6. Port Scanning
      7. Pass The Hash
    9. XXE via various Files
      1. XXE via SVG
        1. General Payload Processing
        2. OOB via SVG rasterization
      2. OOXML (DOCX, XLSX, PPTX), ODF, PDF, RSS
      3. XXE inside DTD file
      4. XXE via SOAP
      5. XXE via XMP
      6. Other XML Processing: XMLRPC, WebDAV, SOAP, XMPP, SAML
  5. SAML XML Injection
    1. https://research.nccgroup.com/2021/03/29/saml-xml-injection/
  6. Oversized XML Attack
    1. Oversized SOAP Header
    2. Oversized SOAP Body
    3. Oversized SOAP Envelope
    4. XML Extra Long Names
    5. XML Namespace Prefix Attack
    6. XML Oversized Attribute Content
    7. XML Oversized Attribute Count
  7. XSLT Attack
    1. References
      1. https://www.blackhat.com/docs/us-15/materials/us-15-Arnaboldi-Abusing-XSLT-For-Practical-Attacks-wp.pdf
      2. https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection
      3. https://book.hacktricks.xyz/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations
      4. https://www.contextis.com/en/blog/xslt-server-side-injection-attacks
    2. Cross-Site Scripting
    3. Arbitrary File Read
    4. Code Execution
    5. SSRF
    6. Data Exfiltration & XXE
  8. References
    1. https://www.agarri.fr/fr/publications.html
    2. https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_Security_Cheat_Sheet.md
    3. https://www.ws-attacks.org/
    4. https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi
    5. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
    6. https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
    7. https://github.com/omurugur/XXE_Payload_List
    8. https://github.com/HLOverflow/XXE-study
    9. https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPXXE.md
    10. https://gosecure.github.io/xxe-workshop/#0
    11. https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
  9. Misc.
    1. Attack Obfuscation
      1. https://www.ws-attacks.org/Attack_Obfuscation
    2. Metadata Spoofing
      1. WSDL Spoofing
      2. WS Security Policy Spoofing
      3. https://www.ws-attacks.org/Metadata_Spoofing
    3. Active WS-MITM
      1. Malicious Morphing
      2. Routing Detour
    4. Passive WS-MITM
    5. Coercive Parsing
  10. XML Signature Attacks
    1. XSLT Code Execution
      1. https://www.ws-attacks.org/XML_Signature_%E2%80%93_XSLT_Code_Execution
    2. XML Signature - Key Retrieval XSA (Cross Site Attack)
      1. https://www.ws-attacks.org/XML_Signature_-_Key_Retrieval_XSA_(Cross_Site_Attack)
    3. XML Signature Exclusion
    4. XML Signature Wrapping
    5. Denial of Service
      1. Key Retrieval DOS
      2. Transformation DOS
        1. C14N DOS
        2. XSLT DOS
        3. XPATH DOS
        4. https://www.ws-attacks.org/XML_Signature_%E2%80%93_Transformation_DOS
  11. SOAP Attacks
    1. SOAP Action Spoofing
      1. https://www.ws-attacks.org/SOAPAction_Spoofing
    2. Replay Attacks
      1. https://www.ws-attacks.org/Replay_Attack
    3. WSDL Enumeration
      1. https://www.ws-attacks.org/WSDL_Disclosure
    4. SOAP Parameter DOS
    5. SOAP Array Attack
  12. MindMap by: Harsh Bothra Twitter: @harshbothra_ https://harshbothra.tech
  13. Review Credits & Thanks: Avinash K. Thapa - @iw00tr00t Yatin Sirpaul - @ysirpaul Aditya Dixit - @zombie007o Mukesh Kumar - @hack_logic Jesus A. Espinoza - @ArthusuxD
  14. Note: Some of these techniques may not be actively exploitable. However, always good to look for the possibilities