An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri.
Vanilla entity test:
SYSTEM entity test (xxe):
Parameter Entity Test. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:
Combined Entity and Parameter Entity:
URL handler. This follows XML Entity - IBM I have not seen this work “in the wild”. Should be useful for exfiltration testing:
XML Schema Inline:
Remote XML Schema. Also, have not been able to get this to work: