Attack Afternoon – XXE
You may be familiar with some of the numerous web security acronyms: XSS, CSRF, … But have you heard about XXE?
XML External Entity (XXE) attacks are gaining more attention recently, after having been underestimated for a long time.
Whenever your application parses XML files, it usually expects them to comply with a certain format. An attacker, however, can try to add new XML entity definitions into the file. XML supports a concept called “external entities”, which lets you access local or remote content. If your XML processor allows such external entities, the attacker may be able to exploit it in order to read out sensitive local files on your server, for instance.
Unfortunately, most XML parsing libraries process external entities by default. So it is always a good idea to check your configuration regarding this aspect!
Further reading at the OWASP
Have you ever wondered what a pentest is exactly or how such a test works? Our Big Application Security Penetration Test FAQ for clients answers these questions and much more.read more
One tool which should be installed on every pentester PC is nmap. This command line tool is the Swiss army knive for penetration tests on network level, but also used regularly by system administrators.read more
Our head office is located in the heart of Bavaria, since the time of SecureNet. Come have a look!read more
One of the most important fundamentals for practiced security is the creation of awareness for threats in information security. In our IT Security Awareness Training, we demonstrate how attackers act, what motivates them and how easy it is to do damage.read more
There are countless tools and variants for testing TLS/SSL connections. With these three simple tools you can easily check your own configuration.read more