xxe

Recently, we had a security audit on our code, and one of the problem is that our application is subject to the Xml eXternal Entity (XXE) attack. Basically, the application is a calculator that receives inputs as XML, through a Web-Service. Here is an example of such an XXE attack on our application: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/> <soapenv:Body> <foo:calculateStuff> <!--Optional:--> <xmlInput><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE currency [ <!ENTITY include SYSTEM "file:///d:/" >]> <calcinput>.