Attackers could abuse of your xml entity using the XML External Entity attacks – XXE. You can use xxe attacks to call external servers or extract server’s information. A lot of applications use the xml language that is a data structured scripting. XML documents contains xml entities which are placeholder for different information. This kind of attacks play on xml document and their validation. Image your document expect some return value but doesn’t validate properly what is acceptable. Image instead you retrieve a file, you retrieve the linux password for all users.
<?xml version=“1.0“?> <!DOCTYPE data [ <!ELEMENT data (#ANY)> <!ENTITY file SYSTEM “file:///etc/passwd“> ]> <data>&file;</data>
XML files come in a different way and format, sees websites that accept .docs or .xlsx or .pptx and all xml file type.
- Previous Post