When pentesting web services or an application that leverage XML files, XML External Entity (XXE) attacks are a great way to start. By injecting an XXE into a well crafted XML payload before it's sent to the server, a penetration tester can trick the parser into executing other actions that the developer never intended. This can lead to reading local files, server-side request forgeries (SSRF) or even gaining remote code execution (RCE). To help penetration testers, Beau Bullock (@dafthack) and Mike Felch (@ustayready) cover a few different methods to attack XML parsers in episode 19 of Tradecraft Security Weekly!
Links:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet[audio src="
http://traffic.libsyn.com/tswaudio/Dissecting_XXE_Attacks_-_Tradecraft_Security_Weekly_19_converted.mp3"]
Tradecraft Security WeeklySubscribe
Dissecting XXE Attacks – Tradecraft Security Weekly #19
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds


