4.XML External entities XXE (OWASP TOP 10 )

 XML External entities (XXE) 

* application and in particular XML -based 

web services or downstream inter 

* The application accepts XML directly or XML uploads , especially from untrusted data then parsed by an XML processer 

*Any of the xml processers in the application or SOAP (simple object access protocol ) based web services has document type definitions (DTDs) enabled . 

* if the application uses SAML for identity processing within federated security or single sign or (SSO) purposes SAML uses XML for identity assertion and may be vulnerable .

* if the application uses SOAP priar to version 1.2 it is likely susceptible  to XXE attackers if XML entities are being passed 

for the SOAP framework .

*Example scenario:

1. Numerous public XXE issues have been discovered , including attacking embedded devices . XXE occurs in a lot of unexpected places , including deeply nested dependencies . the easiest way us to upload  a malicious XML file , if accepted :

*an attacker probus the service's private network by changing the above ENTITY line to:

<!ENTITYxxeSYSTEM"https:/198.168.X.X/private">]>