Back To Schedule
Wednesday, November 20 • 2:00pm - 2:50pm
What You Didn't Know About XML External Entities Attacks

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Video of session:

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects.  Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems.  Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs.  This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel.  These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.

avatar for Timothy Morgan

Timothy Morgan

Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice... Read More →

Wednesday November 20, 2013 2:00pm - 2:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Attendees (0)