Customize request XML parsing
is there a way of customizing the request XML parsing process in SOAP UI? I have already tried to check out the sources and intervene there but the codebase has proven to be a bit overwhelming to understand - I wasn`t able to understand where the configuration for the XML parser is set.
I`m trying to use it to demonstrate XXE payloads for a university project and it seems most of the popular payloads are not working on requests sent via SOAP UI, probably due to parser configuration... Basically I need to find how to turn off the anti-XXE measures.
There is an attachment to show what I mean to do...
See turning off validate requests on Editor Settings helps.
That was one of the solutions I tried as well - it is really starting to seem like it is validated somewhere deep, deep in the source code(or maybe I`m too much of a novice to find it).
Weird thing is that classical entity(just a string value replacement):
<!DOCTYPE replacements [
<!ENTITY replacement "Replaced value gets through">
gets through and is present in the response as opposed to any other variation of XXE(xml bomb, replacements with results from FTP/HTTP/FILE links).
Anyways I think I`ll have to move away from SOAP UI for my XXE demo - really wanted to utilize it, I am a fan of the product.
I still appreciate you trying to help nmrao! Have a nice day!
Thank you for the suggestion, but alas it is not the answer...
Weird thing is there are test samples for XXE attacks in the sources, so it should be possible to test them:
Wondering if there is indeed some setting I haven`t enabled/disabled that is preventing me from testing just these exact payloads...