I have been discussing xxe injection in my web application,My web application allows expansion of user-supplied XML entities
What i did:
Intercepted traffic using Burp.
Changed the request with Accept: text/xml
Inject the XML in cookie and check the response.
AS a result of XML expansion ,the response included with xml whatever i injected
Other things which i tried:
I tried with xxeinjector in terminal and got the response from server, which will help me to confirm there is a XML expansion
In order to make proof of concept how can I illustrate the XXE attack on my web application?
Is the above behavior correct? Is my approach towards XXE injection right?
If it's wrong, please kindly guide me how to perform XEE checks.
