This is a simple Go program that can be used to test for XML External Entity (XXE) injection vulnerabilities.
- Go (1.13 or later)
To use XAT, you need to specify the URL of the vulnerable server as a command line argument using the -u flag.
Other flags usage:
| Flag | Function |
|---|---|
-t |
specifies the timeout for the HTTP request. |
-p |
speifies the location of XML payload you want to inject, you can use payloads.xml file. |
-verbose |
print additional debugging information when running the tool. |
-version |
print the version number of the tool. |
-username |
Username for basic authentication. |
-password |
Password for basic authentication. |
Example:
$ go run xat.go -u http://vulnerable-server.com/xxe-endpoint -t 60 -p /path/to/payloadFile.xml
The program will send an XML payload containing an XXE injection to the specified URL using an HTTP POST request. If the server is vulnerable to XXE injection, the response from the server may include sensitive information.
Check Payloads.md file for examples and to understand different XXE payloads.
Please use this tool responsibly and only on systems that you have permission to test. Do not use this tool to perform unauthorized attacks on systems that you do not own or have permission to test.
- Licensed under
MIT