Tag Archives: Xerces

GC Labs: Mitigating XML Entity Expansion Attacks with Xerces

Here are a few typical questions from my “assessment runbook” that I ask for an app that accepts and parses XML data that can be controlled by an attacker (think file uploads, web services, stored XML content made up of inputs from an external user, etc.):
(1) Is there a check to enforce a maximum number [...]