Forgive me if my question will sound strange - I am kind of new to XXE stuff. Basically, I am working on an app which takes xml file as input and then processes it. We found out that the app is vulnerable to XXE DoS attack, namely famous Billion Laughs case. Before the file is processed, it is validated against schema. So, my question is, will the DoS attack take place during the validation? Or during the validation the xml entities are not expanded and hence the DoS attack will happen only after validation, when validated file is parsed?
No comments:
Post a Comment