XAVIER: Grammar-Based Testing for XML Injection Attacks

Web services are essential for online interactions, supporting critical tasks like banking and shopping, but their importance also makes them prime targets for attacks. Attackers try to manipulate data injecting malicious code, potentially compromising systems. Current approaches to preventing such attacks use techniques like attack grammars, symbolic execution, or machine learning to detect vulnerabilities or manually embed malicious payloads, that can miss parts of the service under test. In this paper, we propose XAVIER, a framework for detecting XML injection vulnerabilities. By leveraging the WSDL speci cation of a web service, XAVIER crafts XML messages that re ect the service’s functionality, enabling the examination of web services for XMLi vulnerabilities. Results show that XAVIER performs equally, or better than the state-of-the-art tool, SOAPUI PRO. Compared to the latter, XAVIERisopensourceandextensible,providingaplatformforfuture research in the eld.