How do you test for injection vulnerabilities beyond SQL — including command, LDAP, and XML injection?

Command injection: occurs where user input reaches an OS shell call (exec(), system(), subprocess). Common in: file conversion tools, image processors, ping/traceroute features, report generators.

Test payloads: ; ls -la, | cat /etc/passwd, && id, ```whoami```` Assert: response does not contain file system output, user identity, or error output from shell commands. The correct response is a validation error or the normal result of the intended operation.

LDAP injection: occurs where user input is interpolated into an LDAP query string. Common in: login forms using LDAP/Active Directory authentication, user search features.

Test payloads: *)(|(uid=*), admin)(&), * Assert: the query returns only the intended result (not all users), and no authentication bypass occurs.

XML injection / XXE (XML External Entity): XXE occurs when an XML parser processes an external entity reference defined in a DOCTYPE. If the server accepts XML input and the parser has external entities enabled, an attacker can read local files.

Test: submit a crafted XML body with an external entity reference pointing to a known file (/etc/passwd) or an external URL. Assert the response does not contain file contents and the external request is not made.

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data>&xxe;</data>

SSTI (Server-Side Template Injection): if user input is rendered through a template engine, submit template syntax ({{7*7}}, ${7*7}). If the response contains 49, the input is being evaluated — a critical finding.