XXE Attacks Explained

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Out of the many attacks that threaten web applications today, XXE remains the one that is talked about the least. Although it gets far less attention than XSS or SQL injections, it does carry its own risk and should not be taken as a slight.

In this guide, I will try to explain what XXE is, why it is dangerous, and how to protect against it. But, before we can learn about this attack, we would first need to understand a few things about XML.

Introduction to XML

XML ( eXtensible Markup Language) is a tag-based language that applications use for transferring data. Contrary to other tag-based languages (like HTML), XML does not have pre-defined tags. Instead, these are defined by the user.

Here is an example of an XML code:

<email>
<sender>John</sender>
<recipient>Peter</recipient>
<subject>Hi</subject>
<message>Hi Peter, How are you doing?</message>
</email>

In the above code, the email tag contains 4 child tags: sender, recipient, subject, and message. Each of these tags encloses a string of characters, referred to in XML as parsed character data (or PCDATA).

XML File

Read more

Explore the site

More from the blog

Latest News