Course

In this lab, we explore the exploitation of XML External Entities (XXE) vulnerabilities. Some XML parsers will automatically resolve external entities, which can be manipulated by an attacker to access local resources on the server, such as the `/etc/passwd` file. An example of this is declaring an entity in the XML that points to a local file and then referencing this entity within the XML content.

The video transcript details a code review of a PHP application vulnerable to XXE. The code improperly handles XML input by not disabling the entity loader and using `LIBXML_NOENT`, which allows XML entities to be resolved. This can lead to significant security risks, including unauthorized file access and Cross-Site Scripting (XSS) vulnerabilities. It is essential to understand these risks and learn how to secure XML parsing to prevent such exploits.