Forum Discussion

ASWORD's avatar
ASWORD
New Contributor
7 years ago

Customize request XML parsing

Hi,

is there a way of customizing the request XML parsing process in SOAP UI? I have already tried to check out the sources and intervene there but the codebase has proven to be a bit overwhelming to understand - I wasn`t able to understand where the configuration for the XML parser is set.

I`m trying to use it to demonstrate XXE payloads for a university project and it seems most of the popular payloads are not working on requests sent via SOAP UI, probably due to parser configuration... Basically I need to find how to turn off the anti-XXE measures.

There is an attachment to show what I mean to do...

Thanks

4 Replies

    • ASWORD's avatar
      ASWORD
      New Contributor

      That was one of the solutions I tried as well - it is really starting to seem like it is validated somewhere deep, deep in the source code(or maybe I`m too much of a novice to find it).

      Weird thing is that classical entity(just a string value replacement):
      <!DOCTYPE replacements [
      <!ENTITY replacement "Replaced value gets through">
      ]>
      <foo>&replacement;</foo>

      gets through and is present in the response as opposed to any other variation of XXE(xml bomb, replacements with results from FTP/HTTP/FILE links).

      Anyways I think I`ll have to move away from SOAP UI for my XXE demo - really wanted to utilize it, I am a fan of the product.

      I still appreciate you trying to help nmrao! Have a nice day!

      • nmrao's avatar
        nmrao
        Champion Level 3
        Hmm; may be you can try &amp; instead of &