[OWASP-wiki-editors] XXE mitigations in .NET

Jim Manico jim.manico at owasp.org
Tue Sep 22 15:34:09 UTC 2015


Fantastic, thank you! I'll update the XXE page shortly.

Thank you very much, Vyacheslav!

--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

> On Sep 22, 2015, at 7:14 AM, Москвин Вячеслав Андреевич <vmoskvin at ussc.ru> wrote:
> 
> Hi!
> I think that XXE mitigations in .NET described in article https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing are not sufficient. We tested them and found out that following settings
> 
> settings.ProhibitDtd = true;
>  
> and
>  
> XmlReaderSettings settings = new XmlReaderSettings();
> settings.DtdProcessing = DtdProcessing.Prohibit;
>  
> don’t actually prohibit external entity processing (but prohibit processing of XML bombs). This helps, though:
>  
> settings.XmlResolver = null;
>  
> Also, the last piece of code is from http://msdn.microsoft.com/en-us/magazine/ee335713.aspx , which is referenced in the article.
>  
> ---
> Vyacheslav Moskvin
> USSC Ltd.
> www.ussc.ru
> _______________________________________________
> OWASP-wiki-editors mailing list
> OWASP-wiki-editors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20150922/fc434f37/attachment.html>


More information about the OWASP-wiki-editors mailing list