lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <>
Date: Tue, 1 Feb 2011 19:24:40 -0800
From: Chris Evans <>
To: "HI-TECH ." <>
Subject: Re: PAPER: Attacking Server Side XML Parsers

On Tue, Feb 1, 2011 at 5:55 PM, HI-TECH . <> wrote:

> Hello lists,
> the paper included in this email discusses as the subject describes the
> issues of XML Parsers and how they can be exploited in a web
> application environment.
> >From the Preface:
> During the audit of web applications one might come across an
> application which handles XML files.
> Specifically there can be an application which allows uploading XML
> files which are thereafter inserted
> into a database and used for later displaying on the front end of the
> application viewable by the user.
> I came across a significant “vulnerability class” which allows an
> attacker (or penetration tester) to
> evoke a scenario which will give access to all files on the underlying
> file system which the application
> server runs as. This includes (in the case the application is
> programmed in the Java language) access
> to directory listings as well.
> Any pointers if this was helpful to you are appriciated.

This attack is called XXE (Xml eXternal Entity).

It's depressing because it's been known about since at least 2002 (, yet it
still keeps rearing its head. There's also the "billion laughs" attack which
is a variant that consumes excessive server-side resource.

There have also been client-side examples of this attack, including in
Safari and (IIRC) Adobe Reader.


> Best Regards,
> Kingcope
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists