Contact us: info@akimbocore.com

XXE: XML External Entity Injection

Published: 19 October 2020    Last Updated: 03 July 2023

XML Entity Injection is a powerful vulnerability that can allow for confidential data theft and in rare cases command execution. It was also often overlooked for a while - but now it features in the OWASP Top 10 as A4 it's a lot more well known. The issue comes about within XML parsers where external entities are processed which can allow for URIs to be loaded.

Wait, back up. What's an entity? An easy way to think of entities is like a variable. It can hold strings, so an entity can be used in XML to hold text content - or it can be used with a URI to load remote content.


Continue Reading

Categories

Fixing

Guidance on remediating vulnerabilities.

Infrastructure

Articles concentrating on network and operating system level attacks.

Web Application

Articles covering attacks against web applications and their associated APIS.

Breaches

Articles concentrating on past data breaches, looking for lessons learned.

Wireless

Articles covering breaking into wireless networks and how to keep them safe.

Building

Articles about building secure systems.

Cheat Sheets

Cheat sheets containing common commands or payloads for common vulnerabilities.

Copyright © 2021 Akimbo Core Ltd

Company Number: 13143302

Build: 6-11