16 lines
881 B
Markdown
16 lines
881 B
Markdown
|
|
||
|
## Testing & Prevention
|
||
|
|
||
|
**How to Find and Test for XXE vulnerabilities**
|
||
|
- Use BurpSuite's Web Vulnerability Scanner
|
||
|
- Manually testing involves the following:
|
||
|
- Testing for file retrieval by defining an external entity based on a well-known OS file
|
||
|
- Testing for blind XXE by defining an external entity based on a URL to a system you control
|
||
|
§ Burp Collaborator Client can be used for this
|
||
|
- Testing for vulnerab inclusion of user-supplied non-XML data within a server-side XML document by using an XInclude attack
|
||
|
|
||
|
**How to Prevent XXE Vulnerabilities**
|
||
|
- Disable features that allow an application's XML parsing library to support potentially dangerous XML features that the application does not need
|
||
|
- Disable resolution of external entities
|
||
|
- Disable support for XInclude
|
||
|
- Done via configuration options or programmatically overriding default behavor
|