📙
AppSec
  • Overview
  • Write Ups Compilations/Resources
  • Main Resources
  • Labs
  • Cross Site Request Forgery
    • Cross Site Request Forgery (CSRF)
      • Write-ups
      • Source Code Examples
      • Labs
  • Missing Access Controls
    • Missing Access Controls
      • Write-ups
      • Source Code Examples
      • Resources
      • Testing Tips
  • LFI / Directory Traversal
    • Local File Inclusion
      • Local File Inclusion Writeups
      • Source Code Examples
      • Labs
  • XXE
    • XML External Entity (XXE)
      • Write-ups
      • Source Code Examples
      • Labs
      • More Writeups
      • Payloads
      • Resources
  • Injection
    • Command Injection
      • Writeups
    • Server-Side Template Injection
      • Server-Side Template Injection Writeups
      • More Write-ups
      • Source Code Examples
      • Labs
      • Resources
      • Payloads
      • Tools
    • SQL Injection
      • SQLI Write-ups
      • Source Code Examples
      • More Write-ups
      • Labs
      • Resources & Tools
  • SSRF
    • Server-Side Request Forgery (SSRF)
      • SSRF Write-ups
      • Source Code Review
  • Unvalidated Redirects and Forwards
    • Unvalidated Redirects and Forwards
      • Writeups
      • Source Code Examples
  • Verbose Error Messages and Stack Traces
    • Verbose Error Messages and Stack Traces
      • Write-ups
Powered by GitBook
On this page

Was this helpful?

  1. XXE
  2. XML External Entity (XXE)

Resources

LogoWhat is XXE (XML external entity) injection? Tutorial & Examples | Web Security AcademyWebSecAcademy
LogoXML External Entity (XXE) Processing | OWASP Foundation
LogoXML External Entity Prevention - OWASP Cheat Sheet Series
LogoXXE - XEE - XML External EntityHackTricks
LogoA Deep Dive Into Xxe Injection.Synack
LogoForcing XXE Reflection through Server Error MessagesNetSPI

  • OWASP XML External Entity (XXE) Prevention Cheat Sheet

  • Timothy Morgan’s 2014 Paper: XML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques

  • Precursor presentation of above paper - at OWASP AppSec USA 2013

  • CWE-611: Information Exposure Through XML External Entity Reference

  • CWE-827: Improper Control of Document Type Definition

  • Sascha Herzog’s Presentation on XML External Entity Attacks - at OWASP AppSec Germany 2010

  • PostgreSQL XXE vulnerability

  • SharePoint and DotNetNuke XXE Vulnerabilities, in French

  • XML Denial of Service Attacks and Defenses (in .NET)

  • Early (2002) BugTraq Article on XXE

  • http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf

PreviousPayloadsNextCommand Injection

Last updated 4 years ago

Was this helpful?