XML eXternal Entity (XXE)
- Former user (Deleted)
Owned by Former user (Deleted)
Cheat Sheet:
http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html
Prevention:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
Exploitation:
http://www.silentrobots.com/blog/2015/12/14/xe-cheatsheet-update/
http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
https://blog.bugcrowd.com/advice-from-a-researcher-xxe
Parsers
XML Parsers can have an effect on XXE attacks so it is important to consider how to invoke the parsers in safe manner.
Reference:Â http://web-in-security.blogspot.de/2016/03/xml-parser-evaluation.html
Crimson
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- URL Invocation attacks - Apply an EntityResolver
- Quirks: The features external-general-entities and external-parameter-entities cannot be set. (always true)
Piccolo
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- Quirks: The state of the feature_Â external-parameter-entities_Â is reported incorrectly.
Xerces SAX/DOM
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- Information: use the feature disallow-doctype-decl = false as a countermeasure for all attacks.
Oracle SAX/DOM
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- Quirks: The features external-general-entities and external-parameter-entities are not supported.
Safe Coding Practices
http://www.safecode.org/publication/SAFECode_Dev_Practices0211.pdf
Threat Modeling
https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx