Resumen
The paper considers the concept of external entities in the XML language, provides the most popular scenarios for executing attacks on web applications using external XML entities. A brief comparative review of dynamic testing tools for XXE-vulnerabilities has been performed. Described the process of deploying the stand for testing web applications for the presence of XXE vulnerability and implemented various testing scenarios both manually and using the OWASP ZAP scanner. There are also improvements to the OWASP ZAP software that were implemented during the course of the work. XXE testing was performed on two applications: OWASP Multillidae and XXELab. A module has been implemented that allows you to configure ZAP through the REST API, run the scanner to actively scan XXE vulnerabilities and get a report on the work. Vulnerability search automation is implemented using the REST API and Qt.