Skip to content


Switch branches/tags


Python package Rawsec's CyberSecurity Inventory

XCat is a command line tool to exploit and investigate blind XPath injection vulnerabilities.

For a complete reference read the documentation here:

It supports an large number of features:

  • Auto-selects injections (run xcat injections for a list)

  • Detects the version and capabilities of the xpath parser and selects the fastest method of retrieval

  • Built in out-of-bound HTTP server

    • Automates XXE attacks
    • Can use OOB HTTP requests to drastically speed up retrieval
  • Custom request headers and body

  • Built in REPL shell, supporting:

    • Reading arbitrary files
    • Reading environment variables
    • Listing directories
    • Uploading/downloading files (soon TM)
  • Optimized retrieval

    • Uses binary search over unicode codepoints if available
    • Fallbacks include searching for common characters previously retrieved first
    • Normalizes unicode to reduce the search space


Run pip install xcat

Or using docker: docker run -it tomforbes/xcat --help

Or on fedora, dnf install xcat 😎

Requires Python 3.7. You can easily install this with pyenv: pyenv install 3.7.1

Example application

There is a complete demo application you can use to explore the features of XCat. See the README here: