Lesson 08 - OWASP Top 10 2017 - A4:2017-XML External Entities (XXE)

AppSec Starter is a basic application security awareness training applied to onboarding new developers. It is not the purpose of this training to discuss advanced and practical topics. Conviso has customized training and practical training platforms.

Training recorded by Nicolas Schmaltz and copyright reserved to Conviso Application Security S/A.

Lesson 8 Contents:

Many older or poorly configured XML processors evaluate references to external entities within XML documents. These external entities can be used to reveal internal files using the file URI processor, internal file shares, internal communication port lookup, remote code execution and denial of service attacks such as the Billion Laughs attack.