FHIR Chat · John's blog about XXE · implementers

Stream: implementers

Topic: John's blog about XXE

view this post on Zulip Grahame Grieve (Apr 20 2016 at 21:56):

http://healthcaresecprivacy.blogspot.com.au/2016/04/fhir-input-validation.html

view this post on Zulip Grahame Grieve (Apr 20 2016 at 21:57):

the problem with this is that unless you're like me, and think writing your own XML and json parsers is normal practice, then you won't see the XXE attack to validate against it

view this post on Zulip Grahame Grieve (Apr 20 2016 at 21:57):

and normal XML validation methods are themselves subject to the XXE attack. for instance, in some XML parsers I looked at, turning off DTD processing turned off validation

view this post on Zulip Vadim Peretokin (Apr 20 2016 at 22:00):

You're better off in the world if you know about this stuff though. https://www.hacksplaining.com/exercises lists some XML-related vulnerabilities and is pretty easy to learn from

view this post on Zulip Grahame Grieve (Apr 20 2016 at 22:12):

well, you sure need to know about it

view this post on Zulip John Moehrke (Apr 28 2016 at 16:38):

I will add that to my blog article.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -