[Owasp-leaders] Needed: OWASP Article on XML External Entity (XXE) Attacks

Dave Wichers dave.wichers at owasp.org
Fri Mar 2 14:28:04 UTC 2012


All,

 

I noticed that Sascha Herzog uploaded a presentation about this topic to
OWASP.

 

It is at: https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf

 

And there is also a minor reference to this issue in the OWASP testing guide
page on XML Injection .

 

However, we don't have an article specifically on this topic at OWASP.

 

Would some people be interested/willing to contributing to writing such an
article?

 

I think this is a very important and extremely common risk that most people
are NOT aware of. I want to put some sunshine on this issue and as a first
step I want to have a great article about this topic that I can point people
to, and then maybe in the future a separate article on how to avoid it.

 

Actually, I think this particular issue is simple enough that we can explain
the issue AND how to fix it in the same article, but I could be wrong.

 

Any takers? I'd recommend it be at:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Attack, with a
shortcut from:  https://www.owasp.org/index.php/XXE. 

 

Thanks, Dave

 

p.s. I've done this several times before, but I usually just reach out to an
individual to write the article. For example I asked:

 

.         Amit Klein - the discoverer of DOM-based XSS to write OWASP's
DOM-based XSS Article.

.         Gustav Rydstedt - A coauthor of the Stanford Clickjacking paper to
write OWASP's article on Clickjacking.

 

And they did. J

 

So hopefully Sascha, and/or others will step up.  Thanks again.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120302/a37b15eb/attachment.html>


More information about the OWASP-Leaders mailing list