How is an XXE produced?
An External XML Entity (XXE) is a vulnerability resulting from an error when an application parses a document and follows the instructions contained in it, despite the fact that these could be malicious.
Basically, it works due to the current applications that allow users to upload XML data to the application. The server processes this information and sends a response.
In order to understand how XML works, see the next example:
<search><Term>cosa</term></search>
This line is sent by the client to the server, using a normal request in order to be processed; the result is also described in XML, as follows:
<search><result>result not found!</result></search>
As you can see from the preceding example, all of the tags included in the request and response are personalized, whereas in HTML, you have defined tags for each instruction. In XML, you define your own tags and you can use a document called a DTD. It helps to define the...