SKILL: XSLT Injection — Testing Playbook

AI LOAD INSTRUCTION: XSLT injection occurs when attacker-influenced XSLT is compiled/executed server-side. Map the processor family first (Java/.NET/PHP/libxslt). Then chain document(), external entities, EXSLT, or embedded script/extension functions per platform. Authorized testing only; many payloads are destructive. Routing note: if input is generic XML parsing and may not flow through XSLT, cross-load xxe-xml-external-entity; if you care about outbound document(http:...) requests, cross-load ssrf-server-side-request-forgery.

0. QUICK START

1. Find sinks: parameters named xslt, stylesheet, transform, template, SOAP stylesheets, report generators, XML→HTML converters.
2. Probe reflection: inject unique namespace or xsl:value-of select="'marker'" — if output changes, execution likely.
3. Fingerprint processor (§1).
4. Escalate by family: document() / XXE (§2–3), EXSLT write (§4), PHP (§5), Java (§6), .NET (§7).

Quick probe (harmless marker):