Skip to main content

A command line tool to automate the exploitation of blind XPath injection vulnerabilities

Project description

XCat

XCat is a command line tool to exploit and investigate blind XPath injection vulnerabilities.

It supports an large number of features:

  • Auto-selects injections (run xcat injections for a list)

  • Detects the version and capabilities of the xpath parser and selects the fastest method of retrieval

  • Built in out-of-bound HTTP server

    • Automates XXE attacks
    • Can use OOB HTTP requests to drastically speed up retrieval
  • Custom request headers and body

  • Built in REPL shell, supporting:

    • Reading arbitrary files
    • Reading environment variables
    • Listing directories
    • Uploading/downloading files (soon TM)

For complete read the documentation here: https://xcat.readthedocs.io/en/latest/

Install

Run pip install xcat

Requires Python 3.7. You can easily install this with pyenv: pyenv install 3.7.1

Example application

There is a complete demo application you can use to explore the features of XCat. See the README here: https://github.com/orf/xcat_app

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for xcat, version 1.0.1
Filename, size File type Python version Upload date Hashes
Filename, size xcat-1.0.1-py3-none-any.whl (19.7 kB) File type Wheel Python version py3 Upload date Hashes View hashes
Filename, size xcat-1.0.1.tar.gz (14.2 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page