XML eXternal Entities Notes from BSidesPDX talk by @brimy; giving a great introduction on how XXE vulnerabilities operate. Video posted Added to the OWASP 10 in 2017 Entities HTML “Entities” are the usual entrypoint. & -> & rendered, triggers. XML has User-Defined Entities <!eNTITY xml “Extensible Markup Language”> %xml; External Entities <!ENTITY chapter1 SYSTEM "chapter1.txt"> Tag rendering executes call to find the contents of chapter1.txt and render it. Enables users to execute XML at the rendering phase, and access and return sensitive data.