Ask a Question

Customize request XML parsing

ASWORD
New Contributor

Customize request XML parsing

Hi,

is there a way of customizing the request XML parsing process in SOAP UI? I have already tried to check out the sources and intervene there but the codebase has proven to be a bit overwhelming to understand - I wasn`t able to understand where the configuration for the XML parser is set.

I`m trying to use it to demonstrate XXE payloads for a university project and it seems most of the popular payloads are not working on requests sent via SOAP UI, probably due to parser configuration... Basically I need to find how to turn off the anti-XXE measures.

There is an attachment to show what I mean to do...

Thanks

4 REPLIES 4
nmrao
Community Hero

Re: Customize request XML parsing

See below documentation helps.

https://www.soapui.org/getting-started/soapui-interface/preferences-and-settings.html

See turning off validate requests on Editor Settings helps.


Regards,
Rao.
ASWORD
New Contributor

Re: Customize request XML parsing

That was one of the solutions I tried as well - it is really starting to seem like it is validated somewhere deep, deep in the source code(or maybe I`m too much of a novice to find it).

Weird thing is that classical entity(just a string value replacement):
<!DOCTYPE replacements [
<!ENTITY replacement "Replaced value gets through">
]>
<foo>&replacement;</foo>

gets through and is present in the response as opposed to any other variation of XXE(xml bomb, replacements with results from FTP/HTTP/FILE links).

Anyways I think I`ll have to move away from SOAP UI for my XXE demo - really wanted to utilize it, I am a fan of the product.

I still appreciate you trying to help nmrao! Have a nice day!

nmrao
Community Hero

Re: Customize request XML parsing

Hmm; may be you can try &amp; instead of &


Regards,
Rao.
ASWORD
New Contributor

Re: Customize request XML parsing

Thank you for the suggestion, but alas it is not the answer...

Weird thing is there are test samples for XXE attacks in the sources, so it should be possible to test them:

https://github.com/SmartBear/soapui/tree/next/soapui/src/main/resources/com/eviware/soapui/resources...

Wondering if there is indeed some setting I haven`t enabled/disabled that is preventing me from testing just these exact payloads...

cancel
Showing results for 
Search instead for 
Did you mean: