Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £29.99 £19.99. New subscribers only. T&Cs apply

Find out more


In this video, you will learn about flaw mitigation processes for XXE.
Welcome to the third and last part of XML External Entities session. In this part, we will discuss XML external entities flaws mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Before closing the session, we will discuss how to avoid such vulnerabilities. If an application accepts XML directly, allows XML file uploads, or arbitrary input data to be inserted into XML templates later parsed by an XML processor, then it might be vulnerable. If any of the XML processors in the application, or other integrated services, is outdated or has DTD, Document Type Definition, enabled, then the application may be vulnerable or at risk. Security assertion markup language uses XML.
If you’re using it for single signon, then your application may be vulnerable. SOAP prior to version 1.2, when XML entities are passed to the SOAP framework, are likely vulnerable to XXE. Let’s have a look at the source code. From project page, we can jump directly to the GitHub repo and find the file upload route.
This is a function that handles the XML upload.
XMLdoc is the result of calling parse XML function passing in the Upload File content.
Several options are passed to the function, noent is the most suggestive one. Let’s find package documentation and see what this option does.
The XML processor is part of the libxmljs2 package.
Parsecs ML string function sounds like what we are looking for. Let’s see what options does it accept.
The noent option: when set to true, entities’ occurrences will be replaced by the content they hold, previously retrieved by the processor from the resource they point to. This is what makes Juice Shop vulnerable. It should be set to false to prevent XXE attacks.
Make sure that all XML processors and libraries in use by the application or on the underlying operating system are up to date and latest security patches were applied. Upgrade SOAP to SOAP 1.2 or higher. Disable XML External Entities and document type definition features in all XML processors. Check the OWASP cheat sheet XXE Prevention to get more details on how to do it for several programming languages and frameworks. Proper server-side input validation, filtering, and sanitisation are mandatory to prevent hostile data to be included in XML documents, headers, or other integrated systems. In our next session, we will discuss broken access control flaws. Until then, take your time to carefully read the XML External Entities section of OWASP Top 10.

In this video, you will learn about flaw mitigation processes for XXE.

We will start by explaining what makes the OWASP Juice Shop application vulnerable. You will watch a demonstration that will show you how to identify these vulnerabilities by looking at the source code.

Investigate and share: In the first XXE video we looked at this OWASP table on XXE. Take some time now to review the table and additional information. What do you think are the key points to remember from this page?

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now