Summary
In this chapter we went through different ways in which we can exploit an XML parser or a service which parses XML. XML parsers are very common these days, they can be spotted in the form of API endpoints, XML services, or even in file upload forms which process XML files after upload. A lot of them are misconfigured, thus allowing flaws like XXE and so on to surface. Do practice XXE and XML DoS techniques in a controlled environment for better understanding XXE was used to get remote code execution on Facebook: http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution.
In the next chapter we'll cover some emerging attack vectors such as PHP Object Injection, RPO, and many more.
