Attack Afternoon – XXE
You may be familiar with some of the numerous web security acronyms: XSS, CSRF, … But have you heard about XXE?
XML External Entity (XXE) attacks are gaining more attention recently, after having been underestimated for a long time.
Whenever your application parses XML files, it usually expects them to comply with a certain format. An attacker, however, can try to add new XML entity definitions into the file. XML supports a concept called “external entities”, which lets you access local or remote content. If your XML processor allows such external entities, the attacker may be able to exploit it in order to read out sensitive local files on your server, for instance.
Unfortunately, most XML parsing libraries process external entities by default. So it is always a good idea to check your configuration regarding this aspect!
Do you want to make sure that your application does not contain XXE vulnerabilities? Ask us for an analysis now!
Further reading at the OWASP
New Can I Trust Test Case: Browser returns secret out of pre-cached response in a CORS-Request
#1 – New Can I Trust Test Case – Browser returns secret out of pre-cached response in a CORS-Request
Update – WordPress Author Security
Update: Our WordPress Author Security Plugin is now available in the WordPress Plugin Store.
WordPress Author Security
How can you actively prevent usernames from being enumerated on WordPress author pages?
Pentest FAQ – #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.
In focus today: Questions #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
Attack Afternoon – CSRF Countermeasures #2
CSRF Countermeasures #2: Another way to protect against CSRF – stateless – is the Double Submit Cookie method.