“Wait, I’m not clear on what’s happening here. Is this even possible? Just by giving an application a single piece of XML, you can cause it to steal other files for you?”
Those were a customer’s words when an XML External Entity injection vulnerability was reported on one of his applications and although these kinds of attacks are known since the early 2000s I’m still under the impression that they are not known and tested enough by application developers and security auditors. Actually during this research we found complete frameworks like SpringMVC being vulnerable to XXE injection. Find more on the podcast and whitepaper I wrote on this interesting topic in the HPSR blog.