Attack Afternoon – XXE
You may be familiar with some of the numerous web security acronyms: XSS, CSRF, … But have you heard about XXE?
XML External Entity (XXE) attacks are gaining more attention recently, after having been underestimated for a long time.
Whenever your application parses XML files, it usually expects them to comply with a certain format. An attacker, however, can try to add new XML entity definitions into the file. XML supports a concept called “external entities”, which lets you access local or remote content. If your XML processor allows such external entities, the attacker may be able to exploit it in order to read out sensitive local files on your server, for instance.
Unfortunately, most XML parsing libraries process external entities by default. So it is always a good idea to check your configuration regarding this aspect!
Further reading at the OWASP
Is your web application vulnerable to SQL Injection? With sqlmap you can test it.
CSRF Countermeasures #1: One possibility to prevent CSRF is the usage of an anti-CSRF token.
CSRF stands for “Cross-Site Request Forgery” and is a classic among web application attacks. With this attack, it is possible to perform certain user actions without them noticing it. But how exactly does this attack work?
At the it-sa 2019 we will present our innovative consulting concept Lean Application Security.
Our second office is located in Dresden, the capital of Saxony. Come have a look at our office there!