XXE attack

This question is not within the course but i hope you can help me. How to exploit XXE (Xml eXternal Entity) attack and how to secure from that attack? I found a picture which paints that attack, but i need more details.

Have you read the OWASP guides on it? They explain it pretty concisely.



The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:

  factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Disabling DTDs also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs. If it is not possible to disable DTDs completely, then external entities and external doctypes must be disabled in the way that’s specific to each parser.

Detailed XXE Prevention guidance for a number of languages and commonly used XML parsers in those languages is provided below.