Hitachi Vantara Pentaho Community Wiki
Child pages
  • XML eXternal Entity (XXE)
Skip to end of metadata
Go to start of metadata

Cheat Sheet:

http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html

http://www.agarri.fr/blog/

Prevention:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

Exploitation:

http://www.silentrobots.com/blog/2015/12/14/xe-cheatsheet-update/

http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html

https://blog.bugcrowd.com/advice-from-a-researcher-xxe

Parsers

XML Parsers can have an effect on XXE attacks so it is important to consider how to invoke the parsers in safe manner.

Reference: http://web-in-security.blogspot.de/2016/03/xml-parser-evaluation.html

Crimson

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • URL Invocation attacks - Apply an EntityResolver
  • Quirks: The features external-general-entities and external-parameter-entities cannot be set. (always true)

Piccolo

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • Quirks: The state of the feature_ external-parameter-entities_ is reported incorrectly.

Xerces SAX/DOM

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • Information: use the feature disallow-doctype-decl = false as a countermeasure for all attacks.

Oracle SAX/DOM

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • Quirks: The features external-general-entities and external-parameter-entities are not supported.

Safe Coding Practices

http://www.safecode.org/publication/SAFECode_Dev_Practices0211.pdf

Threat Modeling

https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx

  • No labels