Ask a Question
Log In / Sign Up
Choose a Product Community
AlertSite
AQTime Pro
BitBar
Collaborator
CrossBrowserTesting
Cucumber Open Source
CucumberStudio
LoadComplete
LoadNinja
QAComplete
ReadyAPI
SoapUI Open Source
Swagger Open Source
SwaggerHub
Swagger Inspector
TestComplete
TestLeft
Zephyr Scale
Zephyr Squad
Zephyr Enterprise
Resources
Ask a Question
Log In Sign Up

Customize request XML parsing

ASWORD
New Contributor
‎04-14-2017 05:58 AM
‎04-14-2017 05:58 AM

Customize request XML parsing

Preview file
43 KB

Hi,

is there a way of customizing the request XML parsing process in SOAP UI? I have already tried to check out the sources and intervene there but the codebase has proven to be a bit overwhelming to understand - I wasn`t able to understand where the configuration for the XML parser is set.

I`m trying to use it to demonstrate XXE payloads for a university project and it seems most of the popular payloads are not working on requests sent via SOAP UI, probably due to parser configuration... Basically I need to find how to turn off the anti-XXE measures.

There is an attachment to show what I mean to do...

Thanks

0 Kudos
4 REPLIES 4
nmrao
Community Hero
Community Hero
‎04-17-2017 11:40 PM
‎04-17-2017 11:40 PM

See below documentation helps.

https://www.soapui.org/getting-started/soapui-interface/preferences-and-settings.html

See turning off validate requests on Editor Settings helps.


Regards,
Rao.
0 Kudos
ASWORD
New Contributor
In response to nmrao
‎04-18-2017 09:24 AM
‎04-18-2017 09:24 AM

That was one of the solutions I tried as well - it is really starting to seem like it is validated somewhere deep, deep in the source code(or maybe I`m too much of a novice to find it).

Weird thing is that classical entity(just a string value replacement):
<!DOCTYPE replacements [
<!ENTITY replacement "Replaced value gets through">
]>
<foo>&replacement;</foo>

gets through and is present in the response as opposed to any other variation of XXE(xml bomb, replacements with results from FTP/HTTP/FILE links).

Anyways I think I`ll have to move away from SOAP UI for my XXE demo - really wanted to utilize it, I am a fan of the product.

I still appreciate you trying to help nmrao! Have a nice day!

0 Kudos
nmrao
Community Hero
Community Hero
In response to ASWORD
‎04-18-2017 10:13 AM
‎04-18-2017 10:13 AM

Hmm; may be you can try &amp; instead of &


Regards,
Rao.
0 Kudos
ASWORD
New Contributor
In response to nmrao
‎04-22-2017 06:31 AM
‎04-22-2017 06:31 AM

Thank you for the suggestion, but alas it is not the answer...

Weird thing is there are test samples for XXE attacks in the sources, so it should be possible to test them:

https://github.com/SmartBear/soapui/tree/next/soapui/src/main/resources/com/eviware/soapui/resources...

Wondering if there is indeed some setting I haven`t enabled/disabled that is preventing me from testing just these exact payloads...

0 Kudos
Subscribe
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: