MF
Uploaded byMichael Furman
1,974 views

OWASP A4 XML External Entities (XXE)

The document discusses XML External Entities (XXE) attacks, which can exploit vulnerable XML processors to extract data, execute remote requests, or perform denial-of-service attacks. It emphasizes the importance of disabling XML external entity processing in XML parsers to prevent such vulnerabilities and provides guidelines for securing XML processing. The speaker, Michael Furman, shares his background in software engineering and application security, along with resources for further information.

Embed presentation

OWASP A4 XML External Entities Michael Furman Security Architect
What will we see today? • What is XML External Entities (XXE) attack • How to prevent it
About Me • 20+ years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
About Tufin • Market Leader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,000 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
What is XML? • XML stands for eXtensible Markup Language https://www.w3schools.com/xml/xml_whatis.asp • XML was designed to store and transport data • XML tags are not predefined
What is XML Entity? • Entities are used to define shortcuts to characters (or words) • Entities can be declared internal, external or predefined • Internal entities declaration: • Usage: <!ENTITY entity-name "entity-value"> <element>&entity-name;</author>
What is XML Entity? • External entities declaration: • Usage: • Predefined entities: <!ENTITY entity-name SYSTEM "system-identifier"> <element>&entity-name;</author> &lt; &gt; &amp; &quot; &apos;
Why XML Entity is Dangerous? • An attacker can include hostile content in an XML document. • Can be used to execute different attacks.
Why XML Entity is Dangerous? • What happens during the parsing of the file? • The parser reads the local file. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:////etc/passwd" >]> <xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
Why XML Entity is Dangerous? • What happens during the parsing of the file? • The parser executes the remote HTTP call <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://api.geonames.org/timezoneJSON" >]> <xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
Flow of the attack • The attack vector: a web application that accepts XML input and parses it Browser WebServer /etc/passwd XML Parser XML with XXE XXE XML with XXE /etc/passwd/etc/passwd
Why XML Entity is Dangerous? • The attack allows to read a local file and to send its content to an attacker!
What is OWASP? • OWASP - Open Web Application Security Project • Worldwide not-for-profit organization • Founded in 2001 • Its mission is to make the software security visible.
OWASP Top Ten • Most successful OWASP Project • Lists of ten most critical web application security attacks • Released first in 2004 • Released each 3 years • 2007, 2010, 2013, 2017 (current)
OWASP Top Ten 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
A4 XML External Entities • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document. https://www.owasp.org/index.php/Top_10-2017_A4- XML_External_Entities_(XXE) • The attack can be used to • extract data • execute a remote request from the server • scan internal systems • perform a denial-of-service attack • as well as execute other attacks.
A4 XXE - How to Prevent • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention'. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet
How to Prevent - Unmarshaller • Configure Unmarshaller according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet#Unmarshaller SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
How to Prevent - Unmarshaller • Use preconfigured SafeSource https://gitlab.com/ultimatesecpro/xxeprotection Source xmlSource = SafeSource.newInstanceFromXmlContent(xml); final Unmarshaller unmarshaller = JAXBContext. newInstance(SimpleXmlEntry.class).createUnmarshaller(); final SimpleXmlEntry simpleXmlEntry = (SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
How to Prevent - DocumentBuilderFactory • Configure DocumentBuilderFactory according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat _Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); ...
How to Prevent - DocumentBuilderFactory • Use preconfigured SafeDocumentBuilderFactory https://gitlab.com/ultimatesecpro/xxeprotection DocumentBuilder builder = SafeDocumentBuilderFactory.newInstance() .newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes()));
Sources • Protection https://gitlab.com/ultimatesecpro/xxeprotection • Demo https://gitlab.com/ultimatesecpro/xxedemo
Summary • You know what is XML External Entities (XXE) attack. • You know how to prevent it.
Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro

More Related Content

PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPTX
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
PPTX
XXE - XML External Entity Attack
byCysinfo Cyber Security Community
 
PDF
XXE
byn|u - The Open Security Community
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
ODP
Hands-On XML Attacks
byToe Khaing
 
PDF
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
OWASP Top 10 2021 What's New
byMichael Furman
 
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
XXE - XML External Entity Attack
byCysinfo Cyber Security Community
 
XXE
byn|u - The Open Security Community
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Hands-On XML Attacks
byToe Khaing
 
Web Application Security and Awareness
byAbdul Rahman Sherzad
 

What's hot

PPTX
Sql injections - with example
byPrateek Chauhan
 
PPTX
Xss attack
byManjushree Mashal
 
PPTX
Cross-Site Scripting (XSS)
byDaniel Tumser
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPTX
File upload vulnerabilities & mitigation
byOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
PPTX
SQL injection
byRaj Parmar
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
XML & XPath Injections
byAMol NAik
 
PPTX
Threat hunting for Beginners
bySKMohamedKasim
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PDF
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PDF
Introduction to Web Application Penetration Testing
byNetsparker
 
PPTX
Broken Authentication and Authorization(1).pptx
byManahari Darshika Pemarathna
 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
 
PPTX
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
Sql injections - with example
byPrateek Chauhan
 
Xss attack
byManjushree Mashal
 
Cross-Site Scripting (XSS)
byDaniel Tumser
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
File upload vulnerabilities & mitigation
byOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
SQL injection
byRaj Parmar
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
XML & XPath Injections
byAMol NAik
 
Threat hunting for Beginners
bySKMohamedKasim
 
Secure code practices
byHina Rawal
 
Security Testing Training With Examples
byAlwin Thayyil
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
Secure coding practices
byMohammed Danish Amber
 
Introduction to Web Application Penetration Testing
byNetsparker
 
Broken Authentication and Authorization(1).pptx
byManahari Darshika Pemarathna
 
What should a hacker know about WebDav?
byMikhail Egorov
 
Adversary Emulation using CALDERA
byErik Van Buggenhout
 

Similar to OWASP A4 XML External Entities (XXE)

DOCX
App. Specific Business 10ImpactsThreatAgentsA.docx
byarmitageclaire49
 
PPTX
Xml external entities [xxe]
bymattymcfatty
 
PDF
[Blackhat2015] FileCry attack against Java
byMoabi.com
 
PPTX
XML External Entity (XXE)
byJay Thakker
 
DOCX
External XML Entities
byWilliam McKelphin
 
PPTX
Xxe
bynullowaspmumbai
 
PDF
The mechanics behind how attackers exploit simple programming mistakes ...
byMichael Man
 
PDF
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
byMichael Man
 
PPTX
Xxe xml external entity
byheeraj nair
 
PPTX
Xxe
byIlan Mindel
 
PDF
IBM Cloud Paris meetup 20180329 - Security in a Software Lab Dev
byIBM France Lab
 
PPTX
Black Hat: XML Out-Of-Band Data Retrieval
byqqlan
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 
PPTX
OWASP TOP 10
byRobert MacLean
 
PDF
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
byOWASP Ottawa
 
PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
byDilum Bandara
 
PDF
A4 xml external entites
byLenur Dzhemiliev
 
DOCX
Vulnerability in libxml2
byRuban Deventhiran
 
PPTX
Extreme Web Exploitation
byViral Parmar
 
App. Specific Business 10ImpactsThreatAgentsA.docx
byarmitageclaire49
 
Xml external entities [xxe]
bymattymcfatty
 
[Blackhat2015] FileCry attack against Java
byMoabi.com
 
XML External Entity (XXE)
byJay Thakker
 
External XML Entities
byWilliam McKelphin
 
Xxe
bynullowaspmumbai
 
The mechanics behind how attackers exploit simple programming mistakes ...
byMichael Man
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
byMichael Man
 
Xxe xml external entity
byheeraj nair
 
Xxe
byIlan Mindel
 
IBM Cloud Paris meetup 20180329 - Security in a Software Lab Dev
byIBM France Lab
 
Black Hat: XML Out-Of-Band Data Retrieval
byqqlan
 
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 
OWASP TOP 10
byRobert MacLean
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
byOWASP Ottawa
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
OWASP Top 10 2017 - New Vulnerabilities
byDilum Bandara
 
A4 xml external entites
byLenur Dzhemiliev
 
Vulnerability in libxml2
byRuban Deventhiran
 
Extreme Web Exploitation
byViral Parmar
 

More from Michael Furman

PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PPTX
How can you deliver a secure product
byMichael Furman
 
PPTX
Istio Security Overview
byMichael Furman
 
PPTX
Top 3 tips for security documentation
byMichael Furman
 
PPTX
OWASP Top Ten 2017
byMichael Furman
 
PPTX
Passwords are passé. WebAuthn is simpler, stronger and ready to go
byMichael Furman
 
PPTX
OpenId Connect Protocol
byMichael Furman
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
How can you deliver a secure product
byMichael Furman
 
Istio Security Overview
byMichael Furman
 
Top 3 tips for security documentation
byMichael Furman
 
OWASP Top Ten 2017
byMichael Furman
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
byMichael Furman
 
OpenId Connect Protocol
byMichael Furman
 

Recently uploaded

PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
How Much Does It Cost To Build Software
bycollinmishell2
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 

OWASP A4 XML External Entities (XXE)

  • 1.
    OWASP A4 XML External Entities MichaelFurman Security Architect
  • 2.
    What will wesee today? • What is XML External Entities (XXE) attack • How to prevent it
  • 3.
    About Me • 20+years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
  • 4.
    About Tufin • MarketLeader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,000 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
  • 5.
    What is XML? •XML stands for eXtensible Markup Language https://www.w3schools.com/xml/xml_whatis.asp • XML was designed to store and transport data • XML tags are not predefined
  • 6.
    What is XMLEntity? • Entities are used to define shortcuts to characters (or words) • Entities can be declared internal, external or predefined • Internal entities declaration: • Usage: <!ENTITY entity-name "entity-value"> <element>&entity-name;</author>
  • 7.
    What is XMLEntity? • External entities declaration: • Usage: • Predefined entities: <!ENTITY entity-name SYSTEM "system-identifier"> <element>&entity-name;</author> &lt; &gt; &amp; &quot; &apos;
  • 8.
    Why XML Entityis Dangerous? • An attacker can include hostile content in an XML document. • Can be used to execute different attacks.
  • 9.
    Why XML Entityis Dangerous? • What happens during the parsing of the file? • The parser reads the local file. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:////etc/passwd" >]> <xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
  • 10.
    Why XML Entityis Dangerous? • What happens during the parsing of the file? • The parser executes the remote HTTP call <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://api.geonames.org/timezoneJSON" >]> <xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
  • 11.
    Flow of theattack • The attack vector: a web application that accepts XML input and parses it Browser WebServer /etc/passwd XML Parser XML with XXE XXE XML with XXE /etc/passwd/etc/passwd
  • 12.
    Why XML Entityis Dangerous? • The attack allows to read a local file and to send its content to an attacker!
  • 13.
    What is OWASP? •OWASP - Open Web Application Security Project • Worldwide not-for-profit organization • Founded in 2001 • Its mission is to make the software security visible.
  • 14.
    OWASP Top Ten •Most successful OWASP Project • Lists of ten most critical web application security attacks • Released first in 2004 • Released each 3 years • 2007, 2010, 2013, 2017 (current)
  • 15.
    OWASP Top Ten2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
  • 16.
    A4 XML ExternalEntities • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document. https://www.owasp.org/index.php/Top_10-2017_A4- XML_External_Entities_(XXE) • The attack can be used to • extract data • execute a remote request from the server • scan internal systems • perform a denial-of-service attack • as well as execute other attacks.
  • 17.
    A4 XXE -How to Prevent • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention'. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet
  • 18.
    How to Prevent- Unmarshaller • Configure Unmarshaller according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet#Unmarshaller SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
  • 19.
    How to Prevent- Unmarshaller • Use preconfigured SafeSource https://gitlab.com/ultimatesecpro/xxeprotection Source xmlSource = SafeSource.newInstanceFromXmlContent(xml); final Unmarshaller unmarshaller = JAXBContext. newInstance(SimpleXmlEntry.class).createUnmarshaller(); final SimpleXmlEntry simpleXmlEntry = (SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
  • 20.
    How to Prevent- DocumentBuilderFactory • Configure DocumentBuilderFactory according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat _Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); ...
  • 21.
    How to Prevent- DocumentBuilderFactory • Use preconfigured SafeDocumentBuilderFactory https://gitlab.com/ultimatesecpro/xxeprotection DocumentBuilder builder = SafeDocumentBuilderFactory.newInstance() .newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes()));
  • 22.
  • 23.
    Summary • You knowwhat is XML External Entities (XXE) attack. • You know how to prevent it.
  • 24.
    Thank you! • Contactme – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro

Editor's Notes

  • #3 Hi everyone, Thank you for joining the last lecture for today. What will we see today? I will start by giving you an overview of OpenID Connect. I will describe the OpenID Connect protocol, and will show you how it compares to other protocols. Then, we will review some of OpenID Connect Implementations. Finally, I will show you one of the best OpenID Connect implementations: Keycloak.
  • #4 Before we begin, a couple of words about me and the company I work for - Tufin. I have many years of experience in software development. Like most of you here today, I particularly like application security. I started to work in this area more than 10 years ago, and enjoy each day I work on it. For the last few years, I am responsible for the application security of all Tufin products. Recently I have started to write a blog – you are more then welcomed to read it. Something personal: I like traveling, reading books and listening to music. I particularly enjoy listen to jazz.
  • #5 And now, a couple of words about Tufin. Tufin is a great company. It is already over 13 years old. We have a lot of customers. Our customers are all around the world: in Israel, USA, Europe, Asia. Some are huge companies, others are much smaller. We have customers in many industries. For example: AT&T, BMW and Visa. Recently we have started to develop products that integrate security into DevOps pipeline. You are more then welcomed to visit our booth. Tufin is always growing. When I joined the company about 5 years ago, it took up only one and half floors. Now it takes up almost 4 floors and that is only in Israel. We have also expanded abroad. We recently opened up a new main office in Boston. We are always looking for good people. We are looking for Java, C++, DevOps people. We are looking for Docker and Kubernetes gurus. You can visit our site to see our open positions in RnD, Sales, Marketing and additional areas.
  • #12 Who is the attack target
  • #18 Not to use XML Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
  • #19 https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
  • #20 https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
  • #21 https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl Default:  false 
  • #22 https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl Default:  false 
  • #25 Thank you for participating in my lecture! Please contact me if you need any additional information, or if you want to send me your resume.