XXE stands for Xml External Entities. Here we will be learning about xxe vulnerability but before going further we will first understand What is XXE ? and How it becomes vulnerable? then we will discuss the types of XXE and learn some security controls to counter this weakness.
So let's start...
XML (Extensible Markup Language) is an intermediary language which can understand by both computer and human as well. XML is being used in APIs, UI layouts & styles, Configuration files, RSS feeds.
Entities are 3 types:
So let's start...
What is XML?
What are the Entities?
Entities are simple storage like a variable in XML, these entities are defined in DTD(Document Type Definition), by using the entity we can define the same values in Multiple places in XML files.
Entities can store values that are user-defined or it can pull the values from any defined files or it can fetch the data from a remote server.Entities are 3 types:
- Internal Entities - Defined in Local DTD.
<!Entity student = "Hill">
- External Entities - Defined outside of DTD.
<!Entity student SYSTEM "file:///externalfile.dtd">
- Parameter Entities - Creating an Entity which value is another entity (means one Entity inside another Entity)
<!Entity % name "entity_value">
SYSTEM - This is a keyword used in the entity to let the xml parser know that its type is external. It tells the xml parser to fetch the data from the external file and store it in an entity.
Continued...Part 2
0 Comments