XCat is a command line program that aides in the exploitation of XPath injection vulnerabilities. It boasts a wide range of features and can utilize the more advanced features of the XPath 2.0 specification (pattern matching, unicode normilization and even http requests) or gracefully degrade to using XPath 1.0 if they are not available.

XCat is built to exploit boolean XPath injections (Where only one bit of data can be extracted in one request) and it requires you to manually identifiy the exploit first, this does not do that for you.


  • Exploits both GET and POST attacks
  • Extracts all nodes, comments, attributes and data from the entire XML document
  • Small and lightweight (only dependency is Twisted)
  • Parallel requests
  • XPath 2.0 supported (with graceful degrading to 1.0)
  • Regex pattern matching to reduce character search space
  • Unicode normalization
  • Advanced data postback through HTTP (see below)
  • Arbitrarily read XML files on the servers file system via the doc() function (see below)

Source here

usage: xcat.py [-h] [--method {GET,POST}] [--arg POST_ARGUMENT] [[--true TRUE_KEYWORD | --false FALSE_KEYWORD | --error ERROR_KEYWORD] [--true-code TRUE_CODE | --false-code FAIL_CODE | --error-code ERROR_CODE] [--schema-only] [--quotecharacter QUOTE_CHARACTER] [--executequery EXECUTEQUERY] [--max_search SEARCH_LIMIT] [--timeout TIMEOUT] [--stepsize STEP_SIZE] [--normalize {NFD,NFC,NFDK,NFKC}] [--xversion {1,2,auto}] [--lowercase] [--regex] [--connectback] [--connectbackip CONNECTBACK_IP] [--connectbackport CONNECTBACK_PORT] [--notfoundstring NOTFOUNDCHAR] [--fileshell] [--getcwd] [--useragent USER_AGENT] [--timeit] URL