{"id":53141,"date":"2022-07-29T09:18:56","date_gmt":"2022-07-29T01:18:56","guid":{"rendered":"https:\/\/version-2.com\/?p=53141"},"modified":"2022-08-19T15:16:56","modified_gmt":"2022-08-19T07:16:56","slug":"xml-external-entity-xxe-attack","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2022\/07\/xml-external-entity-xxe-attack\/","title":{"rendered":"XML External Entity (XXE) Attack"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"53141\" class=\"elementor elementor-53141\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4da8c5f9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4da8c5f9\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;decf9c3&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-133ba185\" data-id=\"133ba185\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fc2da8d post-content elementor-widget elementor-widget-text-editor\" data-id=\"fc2da8d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<style>\n.post-content h3 { font-size: 20px; color: #4c4ef0; line-height: 1.7em; }\n.post-content h4 { font-size: 18px; color: #4c4ef0; line-height: 1.7em; }\n.post-content ul, .post-content ol { list-style-position: outside; padding-left:20px;}\n.post-content .div-box {background-color:#f0f0f0; padding: 0.625rem; display: block;}\n\n<\/style>\n\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max\" alt=\"\" width=\"958\" height=\"auto\"><\/p>\n<p>In this article, I will write about the XML External Entity attack. For this attack to occur, the application must have logic for parsing XML input.<\/p><p>This injection will happen if there is a weakly configured XML parser. A successful attack would be if the attacker would be able to view files on the application server and interact with the backend. This XXE vulnerability could be used to perform server-side request forgery (SSRF) attacks, denial of service (DoS) Billion Laughs Attack, and many more.<\/p><p><strong><em>What are XXE types?<\/em><\/strong><\/p><p>There is no strict classification of XXE attacks, but we can divide them into two types: in-band and out-of-band(blind).<\/p><p>\u00b7 In-band are more common than out-of-band ones. In this case, the attacker will receive an immediate response to the XXE payload.<\/p><p>\u00b7 Out-of-band or so-called Blind XXE, there is no immediate response. This type involves the creation of an external Document Type Definition. For this type, the XML parser also needs to make an additional request to an attacker-controlled server.<\/p><p><em>What are the cases when attacker can execute this injection?<\/em><\/p><p>\u00b7 In old applications where the version of SOAP is less than 1.2<\/p><p>\u00b7 Applications where users are logged in based on their sessions &#8211; SAML(single sign-on (SSO) login standard). Chances for this attack to happen in this case can be very high because SAML uses XML for identity assertions<\/p><p>\u00b7 If there are XML inputs or XML uploads into XML documents that can be added from untrusted data and parsed by an XML processor after that.<\/p><p>\u00b7 There is a high risk when Document Type Definitions (DTD) is enabled<\/p><p><em>When would application parse XML?<\/em><\/p><p>XML is often used in both: frontend and backend web development.<\/p><p><u>Examples:<\/u><\/p><p>The Frontend side of the application can request, for example, an XML file from API and create and present a UI form based on the data in XML. Then we can have an option to add a new field into the form and if we would like to save the changes. Afterward, the XML input would be added into the XML document.<\/p><p>From the backend parsing, XML would be used to transfer the data in some standard format. Also, in mobile development, Android applications use it to create layouts and store configurations.<\/p><p>On the <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/owasp.org\/www-community\/vulnerabilities\/XML_External_Entity_(XXE)_Processing\">OWASP site<\/a>, you can find more examples of XXE attacks. <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/portswigger.net\/web-security\/xxe\">Portswigger<\/a> has a nicely explained example of this attack:<\/p><p>For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:<\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p7ffhp0q8108qjcfh5bxul.png\"><p>The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the \/etc\/passwd file by submitting the following XXE payload:<\/p>\n\n<div class=\"div-box\"><p>&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;UTF-8&#8243;?&gt;<br>&lt;!DOCTYPE foo [ &lt;!ENTITY xxe SYSTEM &#8220;file:\/\/\/etc\/passwd&#8221;&gt; ]&gt;<br>\n&lt;stockCheck&gt;&lt;productId&gt;&amp;xxe;&lt;\/productId&gt;&lt;\/stockCheck&gt;<\/p><\/div>\n\n<p>This XXE payload defines an external entity &amp;xxe; whose value is the contents of the \/etc\/passwd file and uses the entity within the productId value. This causes the application&#8217;s response to include the contents of the file:<\/p>\n\n<p>Invalid product ID: <\/p>\n\n<div class=\"div-box\">\n<p>root:x:0:0:root:\/root:\/bin\/bash<br>\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin<br>\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin<br>\n&#8230;<\/p><\/div>\n\n<p><strong><em>List of preventions for XXE<\/em><\/strong><\/p><ul><li>Using JSON instead of XML and avoiding serialization of sensitive data<\/li><li>As I mentioned before, this attack can happen easily when the application is using SOAP &lt; 1.2, so try to update to the higher version<\/li><li>Implement XSD validation in your application (&#8220;XML Schemas&#8221;) for all XML file inputs<\/li><li>Patch or upgrade all XML libraries<\/li><li>Use SAST tools for checking out if there are XXE vulnerabilities.<\/li><\/ul><p><strong><em>How to prevent if you are using SAML?<\/em><\/strong><\/p><p>SAML language is used to construct authorization statements, whose authenticity is protected by the XML digital signature applied over the statements.<\/p><p>Many attacks happen because of wrong assumptions made by developers; for example, the token is always properly formed XML compliant with SAML schema.<\/p><p>The developers can assume that SAML would have just one Assertion tag in the document (the properly formed SAML would have). With that fact, developers can validate just the first element they get when searching for elements by the tag name in the XML document.<\/p><p>To get list of nodes JS &#8220;getElementsByTagName&#8221; method can be used:<\/p><div class=\"div-box\"><p>NodeList xmlNodes = doc.getElementsByTagName(&#8220;saml:Assertion&#8221;);<\/p><\/div><p>To xmlNodes will be assigned the list of matching elements from document with tag Name &#8220;saml:Assertion&#8221;.<\/p><p>As developers can assume that this is the properly formed SAML with one Assertion tag, they will get the first element and validate it after:<\/p><div class=\"div-box\"><p>let firstElement = (Element)xmlNodes.item(0);<\/p><\/div><p>*As you can guess, this is not the proper way to validate the tag because the attacker can also assume that developers used this approach for the validation. In this case, the attacker can catch the first element (tag) and replace it with a malicious assertion before the original one, and it will never be detected.<\/p><p>With the same logic, some developers use &#8220;getElementsByTagNameNS&#8221; but the result would be the same: easily inserted malicious script in the first element.<\/p><p>Proper prevention would be:<\/p><p>\u00b7 Parsing the XML document. Using structure validation based on the supplied schema. Never allow automatic download of schemas from the third party but prefer to use local trusted copies. It would also be good if it is possible to inspect schemas and perform schema hardening. This could be used to disable possible wildcard types or relaxed processing statements.<\/p><p>\u00b7 Digital signature validation, which verifies the authenticity and integrity of the assertion embedded in the SAML document. This prevents forgery.<\/p><p>**Most important when writing schema is to describe the intended document&#8217;s structure precisely.<\/p><p><strong><em>How to prevent using XSD validation?<\/em><\/strong><\/p><p>I will explain how to create a C# solution to validate XML data.<\/p><p>The most important reason we want to use XSD (XML Schema Definition) validation is that we want the sender and receiver to have the same &#8220;expectations&#8221; about the content. Using schemas, we need to describe exactly the data so both parties would be clear about them.<\/p><p>Steps:<\/p><p>\u00b7 Add XML file into the code<\/p><p>When adding XML file, you will just see xml tag:<\/p><div class=\"div-box\"><p>&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;utf-8&#8243; ?&gt;<\/p><\/div><p>I will add object User with properties FirstName, LastName, Address, so xml file would look like this:<\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p7m1fg0q9r08qj3njpbjqw.png\"><p>\u00b7&nbsp;Create XML Schema for this file<\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p7n8p10qa208qj80xu5lej.png\"><p>You will get XML schema structure like this:<\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p7nmic0qa808qj0yhq12r9.png\"><p>\u00b7 Modify XSD<\/p><p>Now you can modify the file- add validations for FirstName and Address. In this case, I just show how to add validations for these fields, but they will, of course, not prevent the attack; they will just validate the length and the type of mentioned fields.<\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p7oudc0qak08qj054g9qt2.png\"><p>\u00b7&nbsp;Validate XML using XSD<\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p7pccs0q860amcbl2taik0.png\"><p>What am I doing in the code?<\/p><ul><li>Getting the local path of Assembly so I can after add XML file name and XSD file name to get their full paths<\/li><li>Creating schema using XmlSchemaSet and XmlSeverityType which are from <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.xml.schema?view=net-6.0\">System.Xml.Schema<\/a><\/li><li>Using XMLReader from <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.xml?view=net-6.0\">System.XML<\/a> so I can create XDocument imported from <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.xml.linq?view=net-6.0\">System.Xml.Linq<\/a><\/li><li>When I create document, I want to use validate method that class has and pass schema by which I will validate and the method ValidationEventHandler (I named it like that) which is throwing exception if type is error. <em>In this method you should add all validation logic<\/em>.<\/li><\/ul><p>This is just an example on how to create XSD for XML file and which libraries you can use for the validation.<\/p><p><strong><em>How to prevent with implementation of DTD?<\/em><\/strong><\/p><p>We can also validate XML file using DTD. Here are some differences between XSD and DTD on <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/www.geeksforgeeks.org\/difference-between-document-type-definition-dtd-and-xml-schema-definition-xsd\/\">site<\/a>.<\/p><p>In this example, I am validating an XML file using a DTD file with DtdProcessing.<\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p7qq7m0qb208qj18vb18jm.png\"><p>Steps:<\/p><ul><li> Setting the validation settings using XmlReaderSettings<\/li><li>Creating the XmlReader object so I can parse the file using the method read()<\/li><li>Creating ValidationEventHandler method which is throwing an exception if the type is an error<em>. In this method, you should add all validation logic<\/em>.<\/li><li><\/li><\/ul><p><strong><em>List of SAST testing tools<\/em><\/strong><\/p><p>SAST testing tools will help you with static application security testing.<\/p><p>SAST tools can be free, commercial, and open-source tools.<\/p><p>A list of the most popular SAST Tools currently are:<\/p><ul><li>Veracode<\/li><li>LGTM<\/li><li>Checkmarx<\/li><li>Klocwork<\/li><li>Reshift<\/li><li>SpectralOps<\/li><li>HCL AppScan<\/li><li>Codacy<\/li><li>Insider CLI<\/li><li>Argon<\/li><\/ul><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<\/p><p><strong><em>Why is SOAP version &lt; 1.2 vulnerable to XXE attack and why you should use later versions?<\/em><\/strong><\/p><p><em>&nbsp;<\/em><\/p><p>Before version 1.2 external entities were allowed within SOAP messages.<\/p><p>Since version 1.2 some changes were introduced to the envelope and encoding schemas. Both schemas have been updated to be compliant with the XML Schema Recommendation.<\/p><p>You can see the list of recommendations which were used:<\/p><p>\u00b7 <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"http:\/\/www.w3.org\/TR\/2001\/REC-xmlschema-1-20010502\/\">http:\/\/www.w3.org\/TR\/2001\/REC-xmlschema-1-20010502\/<\/a><\/p><p>\u00b7 <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"http:\/\/www.w3.org\/TR\/2001\/REC-xmlschema-2-20010502\/\">http:\/\/www.w3.org\/TR\/2001\/REC-xmlschema-2-20010502\/<\/a><\/p><p>\u00b7 <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"http:\/\/www.w3.org\/TR\/1999\/REC-xml-names-19990114\">http:\/\/www.w3.org\/TR\/1999\/REC-xml-names-19990114<\/a><\/p><p>\u00b7 <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"http:\/\/www.w3.org\/TR\/2000\/REC-xml-20001006\">http:\/\/www.w3.org\/TR\/2000\/REC-xml-20001006<\/a><\/p><p>\u00b7 <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"http:\/\/www.w3.org\/TR\/2000\/PR-xlink-20001220\/\">http:\/\/www.w3.org\/TR\/2000\/PR-xlink-20001220\/<\/a><\/p><p>Also, additional changes occurred in this version, within the names of datatypes in the XML Schema specification, and some datatypes were removed. If you want check out all changes which were made you can go to this <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/www.w3.org\/2000\/xp\/Group\/1\/06\/01\/soap-02-infoset-hh.html#N4017D2\">site<\/a>.<\/p><p><em>&nbsp;<\/em><\/p><p><strong>Conclusion<\/strong><\/p><p>This article presented some prevention steps that could help you defend your application from XXE attack.<\/p><p>The OWASP team, which is constantly working to discover new ways the attackers can exploit your application and perform their malicious actions, are always updating their <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/XML_External_Entity_Prevention_Cheat_Sheet.html\">Prevention Cheat Sheet<\/a>.<\/p><p>The best way to secure your application would be to always be up to date with the new prevention ways: best libraries to use, best detection tools, etc.<\/p><p>In the end, secure code is the cheapest code!&nbsp;&nbsp;&nbsp;&nbsp;<\/p><p>Cover photo by <a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/unsplash.com\/photos\/lzh3hPtJz9c\">Joshua Woroniecki<\/a><\/p><p>#XXE_attack #XSD #DTD #SAML #vicarius_blog<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8085a61 post-content elementor-widget elementor-widget-shortcode\" data-id=\"8085a61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"39690\" class=\"elementor elementor-39690\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ff2a228 elementor-widget elementor-widget-text-editor\" data-id=\"ff2a228\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><\/p>\n<p class=\"wp-block-paragraph\"><b>About VRX<\/b><br><b>VRX&nbsp;<\/b>is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>In this article, I will write about the XML External En [&hellip;]<\/p>","protected":false},"author":143524195,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[488,476,61],"tags":[477,489],"class_list":["post-53141","post","type-post","status-publish","format-standard","hentry","category-488","category-vrx","category-press-release","tag-vrx","tag-489"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>XML External Entity (XXE) Attack - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"XML External Entity (XXE) Attack - Version 2\" \/>\n<meta property=\"og:description\" content=\"In this article, I will write about the XML External En [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-29T01:18:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-08-19T07:16:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max\" \/>\n<meta name=\"author\" content=\"version2hk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"version2hk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/07\\\/xml-external-entity-xxe-attack\\\/\"},\"author\":{\"name\":\"version2hk\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\"},\"headline\":\"XML External Entity (XXE) Attack\",\"datePublished\":\"2022-07-29T01:18:56+00:00\",\"dateModified\":\"2022-08-19T07:16:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/07\\\/xml-external-entity-xxe-attack\\\/\"},\"wordCount\":1623,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max\",\"keywords\":[\"vRx\",\"2022\"],\"articleSection\":[\"2022\",\"vRx\",\"Press Release\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/07\\\/xml-external-entity-xxe-attack\\\/\",\"url\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack\",\"name\":\"XML External Entity (XXE) Attack - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max\",\"datePublished\":\"2022-07-29T01:18:56+00:00\",\"dateModified\":\"2022-08-19T07:16:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack#primaryimage\",\"url\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max\",\"contentUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/xml-external-entity-xxe-attack#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"XML External Entity (XXE) Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\",\"name\":\"version2hk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"caption\":\"version2hk\"},\"sameAs\":[\"http:\\\/\\\/version2xfortcom.wordpress.com\"],\"url\":\"https:\\\/\\\/version-2.com\\\/en\\\/author\\\/version2hk\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"XML External Entity (XXE) Attack - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack","og_locale":"en_US","og_type":"article","og_title":"XML External Entity (XXE) Attack - Version 2","og_description":"In this article, I will write about the XML External En [&hellip;]","og_url":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack","og_site_name":"Version 2","article_published_time":"2022-07-29T01:18:56+00:00","article_modified_time":"2022-08-19T07:16:56+00:00","og_image":[{"url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max","type":"","width":"","height":""}],"author":"version2hk","twitter_card":"summary_large_image","twitter_misc":{"Written by":"version2hk","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack#article","isPartOf":{"@id":"https:\/\/version-2.com\/2022\/07\/xml-external-entity-xxe-attack\/"},"author":{"name":"version2hk","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db"},"headline":"XML External Entity (XXE) Attack","datePublished":"2022-07-29T01:18:56+00:00","dateModified":"2022-08-19T07:16:56+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2022\/07\/xml-external-entity-xxe-attack\/"},"wordCount":1623,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max","keywords":["vRx","2022"],"articleSection":["2022","vRx","Press Release"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2022\/07\/xml-external-entity-xxe-attack\/","url":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack","name":"XML External Entity (XXE) Attack - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack#primaryimage"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max","datePublished":"2022-07-29T01:18:56+00:00","dateModified":"2022-08-19T07:16:56+00:00","breadcrumb":{"@id":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack#primaryimage","url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max","contentUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl5p8417f0qbx0amchwpfbkbx.jpg?tr=w-1800,c-at_max"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vicarius.io\/blog\/xml-external-entity-xxe-attack#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/"},{"@type":"ListItem","position":2,"name":"XML External Entity (XXE) Attack"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db","name":"version2hk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","caption":"version2hk"},"sameAs":["http:\/\/version2xfortcom.wordpress.com"],"url":"https:\/\/version-2.com\/en\/author\/version2hk\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-dP7","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/53141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/users\/143524195"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/comments?post=53141"}],"version-history":[{"count":4,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/53141\/revisions"}],"predecessor-version":[{"id":53309,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/53141\/revisions\/53309"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/media?parent=53141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/categories?post=53141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/tags?post=53141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}