Detecting XML External Entities                                             Chapter 7

            The final result is as follows:

                  YNM WFSTJPO       FODPEJOH  *40
                 VTFST
                     VTFS
                         VTFSOBNF CPC  VTFSOBNF
                         QBTTXPSE   SDU 3  QBTTXPSE
                         VTFSJE    VTFSJE
                         NBJM   NBJM
                      VTFS
                     VTFS
                         VTFSOBNF IFMXBSE  VTFSOBNF
                         QBTTXPSE  OWFSUF%8 SME  QBTTXPSE
                         VTFSJE      VTFSJE
                         NBJM IFMXBSE NBOO!XJOWFSUFE INN  NBJM
                      VTFS
                     VTFS
                         VTFSOBNF KBNFT  VTFSOBNF
                         QBTTXPSE 5IFX  Q   QBTTXPSE       QBTTXPSE
                         VTFSJE      VTFSJE
                         NBJM     VTFSJE    VTFSJE  NBJM KBNFT NPXSZ!UFSSBO HPW  NBJM
                      VTFS
                  VTFST


            XML injection and XXE ` stronger together


            We previously covered the anatomy of an XXE bug and how nested entity expansion can
            lead to exponential resource use. We've also covered how valid XML structures can be
            injected through RESTful APIs so that malicious tags are recreated in the XML formatting
            (we used a fictional case of an XML-like DB, but the analysis holds for any server-side XML
            processing layer).

            You can see how these two dynamics complement one anotherbif you have discovered a
            valid XML injection vector, that gives you the delivery mechanism with which to define
            and execute your XXE validation.















                                                    [ 119 ]