XXEGen

An XML External Entity file generator for security testing.

Created by @bbuerhaus and @nahamsec

How to use it

  1. Select a file format: docx or xlsx
  2. Click the Generate File button.
  3. Select the URL to download the file generated.
  4. Open up the listener.php link.
  5. Upload the docx or xlsx file to a website.
  6. Refresh the listener.php page and see if it made an external entity request.
  7. If the listener updated: it's vulnerable to XXE.

Listener

If you opt to change the listener URL, the generated XXE document is going to make a request to whatever URL you specify. Just make sure you have request logs or a logger sitting at the URL you specify.

XXE File

Format:

Attack Type:

Target: