[Owasp-leaders] Needed: OWASP Article on XML External Entity (XXE) Attacks

Dave Wichers dave.wichers at owasp.org
Fri Mar 2 14:28:04 UTC 2012



I noticed that Sascha Herzog uploaded a presentation about this topic to


It is at: https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf


And there is also a minor reference to this issue in the OWASP testing guide
page on XML Injection .


However, we don't have an article specifically on this topic at OWASP.


Would some people be interested/willing to contributing to writing such an


I think this is a very important and extremely common risk that most people
are NOT aware of. I want to put some sunshine on this issue and as a first
step I want to have a great article about this topic that I can point people
to, and then maybe in the future a separate article on how to avoid it.


Actually, I think this particular issue is simple enough that we can explain
the issue AND how to fix it in the same article, but I could be wrong.


Any takers? I'd recommend it be at:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Attack, with a
shortcut from:  https://www.owasp.org/index.php/XXE. 


Thanks, Dave


p.s. I've done this several times before, but I usually just reach out to an
individual to write the article. For example I asked:


.         Amit Klein - the discoverer of DOM-based XSS to write OWASP's
DOM-based XSS Article.

.         Gustav Rydstedt - A coauthor of the Stanford Clickjacking paper to
write OWASP's article on Clickjacking.


And they did. J


So hopefully Sascha, and/or others will step up.  Thanks again.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120302/a37b15eb/attachment.html>

More information about the OWASP-Leaders mailing list