OWASP XML External Entities (XXE)
September 10th, 2022
XML external entity (XXE) injection
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>
Most xml parsers are vulnerable to XXE injection by default.
You need to configure them to be safe
(src: Book: release it! - Michael Nygard)
This post was referenced in: