SKILL: XML External Entity Injection (XXE) — Expert Attack Playbook AI LOAD INSTRUCTION : Expert XXE techniques. Covers all injection contexts (SOAP, REST JSON→XML parsers, Office files, SVG), OOB exfiltration (critical when direct read fails), blind XXE detection, and XXE-to-SSRF chain. Base models often miss OOB and non-XML context XXE. For real-world CVE chains, Office docx XXE step-by-step, PHP expect:// RCE, and Solr XXE+RCE, load the companion SCENARIOS.md. 0. RELATED ROUTING Also load: - upload insecure files when XXE is reachable through SVG, OOXML, import, or preview pipelines Extend…