Use the following tips when you are testing products that use XML:
When you test an application that consumes XML input, do not limit testing to XML-specific cases. Most non-XML-specific attacks (HTML scripting attacks, spoofing, buffer overflows, information disclosure, etc.) can occur through XML.
Use CDATA and character references to include arbitrary characters as part of the XML, while still creating well- formed and valid XML.
When creating XML input, it is important to use an editor that allows complete control of all aspects of the data. For example, an XML-specific editor might not allow you to create certain fields or might automatically change data when saving it. A basic text or binary editor is ideal for XML files and a Web proxy for SOAP messages.
Dont forget the XML- and SOAP-specific tests, including infinite entity reference loops , XML bombs , complex XML, external entities, XML injection, large file references, and SOAP array DoS.