1
00:00:00,060 --> 00:00:08,460
Injection of XML as input, if not blocked by adequate validation mechanisms, can have serious

2
00:00:08,460 --> 00:00:15,200
consequences in terms of security, as we will see in the following example.

3
00:00:18,590 --> 00:00:28,260
Injection of malicious XML in this example, results in an output XML file that would allow the creation

4
00:00:28,260 --> 00:00:34,320
of a user with administrator privileges instead of a normal user.

5
00:00:37,140 --> 00:00:45,510
So the remedy consists in validating the input, for example, with regular expressions and blocking

6
00:00:45,510 --> 00:00:53,100
the possibility of inserting tags enclosed between less than or greater than symbols.

7
00:00:56,770 --> 00:01:05,740
Let's see this other vulnerability. The XML External Entity (XXE) vulnerability. The XXE vulnerability

8
00:01:06,790 --> 00:01:14,840
linked to an exchange of data in XML format, occurs against a poorly configured XML

9
00:01:14,910 --> 00:01:15,730
parser.

10
00:01:18,880 --> 00:01:28,120
A purely configured parser can agree to extract and process data from an external entity instead of

11
00:01:28,120 --> 00:01:34,060
processing the data that should reside in the XML file itself.

12
00:01:38,520 --> 00:01:46,290
The major risk factor for the presence of this vulnerability is that the parser allows the definition

13
00:01:46,290 --> 00:01:53,580
of DTD in the XML document and allows the processing of external resources.

14
00:01:57,240 --> 00:02:07,240
Among the most important remedies, disable XML external entity and DTD processing in all XML

15
00:02:07,260 --> 00:02:08,130
parsers.

16
00:02:11,340 --> 00:02:20,760
As a remedy for XXE, it is also important to use an XML document validation based on XSD,

17
00:02:20,760 --> 00:02:23,970
XML Schema Definition.

18
00:02:26,580 --> 00:02:29,570
Thank you for your kind of attention, take care.