Overview
Write Ups Compilations/Resources
Main Resources
Labs
Cross Site Request Forgery
- Cross Site Request Forgery (CSRF)
Missing Access Controls
- Missing Access Controls
LFI / Directory Traversal
- Local File Inclusion
XXE
- XML External Entity (XXE)
Injection
SSRF
- Server-Side Request Forgery (SSRF)
  - SSRF Write-ups
  - Source Code Review
Unvalidated Redirects and Forwards
- Unvalidated Redirects and Forwards
  - Writeups
  - Source Code Examples
Verbose Error Messages and Stack Traces
- Verbose Error Messages and Stack Traces
  - Write-ups

Powered by GitBook

On this page

Was this helpful?

XXE

XML External Entity (XXE)

Resources

PreviousPayloads NextCommand Injection

Last updated 4 years ago

Was this helpful?

OWASP

XML External Entity (XXE) Prevention Cheat Sheet

Timothy Morgan’s 2014 Paper: XML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques

Precursor presentation of above paper - at OWASP AppSec USA 2013

CWE-611: Information Exposure Through XML External Entity Reference

CWE-827: Improper Control of Document Type Definition

Sascha Herzog’s Presentation on XML External Entity Attacks - at OWASP AppSec Germany 2010

PostgreSQL XXE vulnerability

SharePoint and DotNetNuke XXE Vulnerabilities, in French

XML Denial of Service Attacks and Defenses (in .NET)

Early (2002) BugTraq Article on XXE

http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf

What is XXE (XML external entity) injection? Tutorial & Examples | Web Security AcademyWebSecAcademy

XML External Entity (XXE) Processing | OWASP Foundation

XXE - XEE - XML External EntityHackTricks

Forcing XXE Reflection through Server Error MessagesNetSPI

XML External Entity Prevention - OWASP Cheat Sheet Series

A Deep Dive Into Xxe Injection.Synack