XML external entity (XXE) flaws enable attackers to upload custom XML containing hostile content, forcing XML processors to perform unauthorized actions. In this video, learn how to test for XXE flaws.
- [Instructor] The fourth set of risks … in the OWASP Top 10 list are XML external entity flaws. … By uploading an XML file that contains hostile content, … an attacker could potentially launch multiple attacks … from the XML processor that handles the file. … And what do I mean by hostile content? … An attacker can post an XML file … that contains an entity tag, … one that tells the parser to process an external entity … or some resource that lives outside of the XML file itself. … For example, that tag can use the system identifier … to attempt to open or access files on the server, … files that were never meant to be exposed … to the application. … This attack works more often than not, … since most XML parsers are designed … to process external entities by default. … Attacks like these are sometimes referred to … as server-side request forgery attacks. … They bypass the application … and hide untrusted commands inside of files, … attempting to execute those commands on the backend server. …
- Security frameworks
- OWASP Top Ten
- Building Security In Maturity Model (BSIMM)
- Planning your testing projects
- Creating security policies
- Source code reviews
- Application threat modeling
- Offline testing for OWASP Top Ten vulnerabilities
Skill Level Intermediate
DevSecOps: Automated Security Testingwith James Wickett1h 35m Intermediate
Security Testing Essential Trainingwith Jerod Brennen2h 48m Beginner
Security Testing: Nmap Security Scanningwith Mike Chapple1h 46m Intermediate
What you should know1m 17s
1. Leading Practices
2. Security Documentation
3. Source Code Security Reviews
4. Offline Testing for the OWASP Top Ten (2017)
Next steps3m 18s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.