XXE For Dummies
XML eXternal Entities Notes from BSidesPDX talk by @brimy; giving a great introduction on how XXE vulnerabilities operate. Video posted
Added to the OWASP 10 in 2017 Entities HTML “Entities” are the usual entrypoint. & -> & rendered, triggers.
XML has User-Defined Entities <!eNTITY xml “Extensible Markup Language”> %xml;External Entities <!ENTITY chapter1 SYSTEM "chapter1.txt">
Tag rendering executes call to find the contents of chapter1.txt and render it.
Enables users to execute XML at the rendering phase, and access and return sensitive data.