[Owasp-testing] Testing Guide V4 - Start up

Luca Carettoni luca.carettoni at ikkisoft.com
Tue Sep 4 17:34:19 UTC 2012


On Mon, 2012-09-03 at 13:56 +0200, Paolo Perego wrote:
> Actually XML vs JSON debate is a question either client side (ajax
> calls) than server side (APIs and webservices using both the data
> formats) that we must address in the guide.

Speaking of "pure" XML, we should probably extend the XML injection
section with all techniques and details discovered by @Agarri_FR:
advanced XEE attacks (e.g. binary files retrieval), XSLT code exec, etc.

Cheers,
L.   

-- 
Luca Carettoni <luca.carettoni at ikkisoft.com>



More information about the Owasp-testing mailing list