XXE: Why It’s Still in the Top 10 - Sam Shute

XXE is commonly passed over in normal teaching and educational conference talks, but remains one of the top vulnerabilities for web servers that utilize XML parsers. Recently, we have still been finding applications vulnerable to XML Entity attacks, which this talk will cover in an easy to understand way.

Note: this was originally planned for June, but was delayed due to Wellington's COVID level change.

Description

XML External Entities (XXEs) have been in the OWASP Top Ten since 2017, however they have existed as a vulnerability class for approximately two decades. Entities within XML can be used to do lots of fun things as an attacker, such as causing a Denial-of-Service, stealing files, or even creating a backdoor.

This talk will cover the basics of what XXEs are, how to exploit them, and importantly for developers, how to prevent them.

Speaker Biography

Sam Shute is a Principal Security Consultant with Quantum Security in Wellington. His day-to-day work revolves mostly around running Quantum’s technical consulting team, but occasionally he gets out of the office to compromise applications and networks all around New Zealand.

Sam’s other areas of interest include network penetration testing, 3D printing, and lock picking.

Other Notes

The talk kicks off at 6pm, but we'll have some snacks before-hand. Arrive any time from 5:30pm onwards!

We will communicate any postponements if, for example, Wellington goes back to COVID Level 2. If you are unwell please RSVP "no" and do not attend. We'll look forward to seeing you when you're well.