XML usage is becoming popular in both client and server applications. XML data sent to an application should be treated just as other input code paths. Most attacks that are possible in traditional input data are also possible with XML input (HTML scripting attacks, spoofing, buffer overflows, etc.). Testing for these types of issues can require that you encode certain characters so that the test case is seen by the parser as well- formed and valid XML. As discussed, you should also test XML-specific attacks. When testing SOAP requests, it is important to create custom requests to perform malicious client testing against the server.