Attack Afternoon – XXE

Aug 2, 2019

You may be familiar with some of the numerous web security acronyms: XSS, CSRF, … But have you heard about XXE?
XML External Entity (XXE) attacks are gaining more attention recently, after having been underestimated for a long time.

Whenever your application parses XML files, it usually expects them to comply with a certain format. An attacker, however, can try to add new XML entity definitions into the file. XML supports a concept called “external entities”, which lets you access local or remote content. If your XML processor allows such external entities, the attacker may be able to exploit it in order to read out sensitive local files on your server, for instance.

Unfortunately, most XML parsing libraries process external entities by default. So it is always a good idea to check your configuration regarding this aspect!

Do you want to make sure that your application does not contain XXE vulnerabilities? Ask us for an analysis now! 

Further reading at the OWASP

Attack Afternoon - XXE

Recent posts

mgm sp @ Dresden

Our second office is located in Dresden, the capital of Saxony. Come have a look at our office there!

read more

mgm sp @ Heise DevSec

With the topic “How practical is DevSecOps really? – A field report” our colleague Maximiliane Zirm is present at this year’s Heise devSec. 

read more

Tool Tuesday – nmap

One tool which should be installed on every pentester PC is nmap. This command line tool is the Swiss army knive for penetration tests on network level, but also used regularly by system administrators.

read more