2017 OWASP Top 10: XML External Entities
ฝัง
- เผยแพร่เมื่อ 27 ก.ย. 2024
- New 2021 OWASP Lightboard Series:
• 2021 OWASP Top Ten
Video 4/10 on the 2017 OWASP Top Ten Security Risks.
John Wagnon discusses the details of the #4 vulnerability listed in this year's OWASP Top 10 Security Risks: XML External Entities. Learn about this security risk and how to guard against it.
community.f5.c...
Whats Nemanja Matic doing here?
Learning a lot can’t wait to pass this test
glad you enjoyed it!
Good presentation men, I wonder how you write things on the screen?
Thanks for the comment! You can see how we do it here: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
John, thanks for an excellent series of video's, any further insight into the rise of XXE on the OWASP Top 10? Many thanks
Thanks man You do great
glad you enjoyed the video!
does this work same like SQL injection where we can just inject XML tags inside the text field and enter the WEB-APP
Hi, this is a different attack from a SQL injection because this one relies on untrusted XML input being parsed by an XML processor. But, you could view this in a similar sense to SQL injection in the sense that they both are using untrusted inputs and then executing on those untrusted inputs. Thanks for the great question!
@@devcentral i was doing websraping but in python 3 some methods are replaced , it says about the attacks , i came here i now i understood how attackers attack, good tutorials :)
Thanks alot guys.
glad you enjoyed it!
good tut ,thank u sir
glad you enjoyed it!
Thanks!
A lot of handwaving in this "Implement a WAF" is not a solution without noting exactly what the WAF will cover.
I am still not completely clear why this is not an injection attack. Likely because XML stuff is getting more attention. It is just watching for "bad input" except that recursion like the one he notes is really hard to catch. Only allow so many levels of recursion would seem to be the main way to block this.
Backward writing is really cool. :)))
Thanks for the lesson.
me watching the video:
- is he writing the other way around???
- ohh, he is using his left hand, probably its mirrored, its genius!
seing the text on his shirt is not mirrored: OMG HE IS WRITING THE OTHER WAY AROUND!
Thanks for the comment! One of the questions we get the most and here's how we do it: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
@@psilvas Thanks, very cool, so the text on his shirt indeed is mirrored :)
@@SzaboB33 yep - had some reversed logo shirts made so they look proper in final.
Why is it called XXE? 0:33
XXE, the second X is for "EXternal" due to the pronunciation. Like XP (Extreme Programming)
yes, that is correct...the second X is due to pronunciation.
yes, your right
Please pay attention to XML syntax, spend 5 minutes learn stuff before you make a video. You are good at presentation though.
This method (LiteBoard) is awesome and so Professional, it keeps me follow along with you. Keep up the good work and thanks for sharing.
glad you are enjoying them!
Can we use these videos to build a training program for our developers?
i think everyone.....can understand better
its a brilliant way which helps me learn so many thinks and am ble th understand älmost everything cause i take interest to power
You are a good teacher man thanks
Glad you enjoyed it!
can you share the documentation of each and every attack.
Hi. The OWASP website outlines all the specifics of each security risk and it shows some examples of possible attack vectors for each one. Here's the link: www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Stupid conclusion, Since the video is mirrored in order to represent data correctly on the board. Could i say that the Logo on the t-shirt is reversed in real life????I mean there is written : retnec atad
Yes they are. If you're interested, this is how we produce these: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html