Detecting XML External Entities                                             Chapter 7

                *O UIF DBTF PG UIJT 99& BUUBDL  B NBMJDJPVT BHFOU DPVME TVCNJU FOUJUZ
                FYQBOTJPO DPEF UP SFUSJFWF UIF DPOUFOUT PG B TFOTJUJWF GJMF PO UIF TFSWFS
                MJLF UIF DPOUFOUT PG  FUD QBTTXPSE  PS NBLF B DBMM UP  EFW SBOEPN BOE DSBTI
                UIF TFSWFS  PS FWFO VTF B EJGGFSFOU %P4 NFUIPE XJUI UIF OFTUFE FOUJUZ
                FYQBOTJPO TUSBUFHZ PG B  #JMMJPO -BVHIT  TUZMF BUUBDL
                 IUUQT   FO XJLJQFEJB PSH XJLJ #JMMJPO@MBVHIT@BUUBDL


            Summary


            In this chapter, we covered XXE and touched on the nature of XML parsing attacks,
            discussed XXE within the historical context of the Billion Laughs vulnerability, reviewed a
            specific weakness that makes many XML parsers vulnerable to XXE, and end-gamed some
            of the possible attack scenarios associated with an XXE bug, in addition to taking an XXE
            vulnerability all the way from discovery to report submission.

            In the next chapter, we will discuss access control and security through obscurity.



            Questions


                   1.  What makes an XML parser susceptible to XXE? What is an example
                      misconfiguration?
                   2.  How do you use Burp to test for XXE?
                   3.  What are some impacts of an XXE vulnerability? What are some common attack
                      scenarios involving the bug?
                   4.  What is  EFW SBOEPN?
                   5.  What's a non-impactful way you can test for the presence of an XXE
                      vulnerability?
                   6.  What's the Billion Laughs attack?
                   7.  How can some services (especially API endpoints) be vulnerable to XXE when
                      they use JSON for data exchanges?















                                                    [ 127 ]