Hey there. Welcome back. In our previous lessons, we looked at SQL base Injection attacks. In this one, we're going to focus on XML External Entity Injection sometimes referred to as XML Injection or even XXE. I'm going to call it XML Injection. In this lesson, we're going to be working on an a basic understanding of how XML works before we can get started. After this lesson, you'll be able to define XXE or XML Injection, discuss the dangers of simply acting on user provided data without care, then use an XML viewer and a text editor to play around with code. Let's dig into it. Hi everyone. The next type of injection flaw we're going to look at is XXE. XXE stands for XML External Entity Attacks. Much like SQL Injection, this could be a devastating attack, and we're going to look at it because it's one of the two lessons that WebGoat offers. So we already covered SQL Injection. We already covered cross-site scripting both of which are injection attacks on different endpoints, the client or the server. We're just going to go through XXE as well to show a variant of injection attacks and how taking data from a user and simply acting on it without care could cause some issues for us. Now in order for us to work with XXE, we need to understand how XML works. So I wanted to play around a little bit with an XML Parser. Just get a basic idea of how XML works if you have no background in XML, I am by no means an expert in XML. It's just a tool and I've used it before. So if you feel like you understand XML really well, feel free to skip this video and meet us on the next video, and we'll continue from there. So the remainder of this video is going to be getting a basic understanding of how XML works. So I like this use this website. Let's see if I can find it. Yeah, there it is. The countwordsfree.com which has an XML viewer. An XML data looks like something like this, and if you can convert that to JSON, it'll come out something like this. Now, I'm not going to do the work in here. We're going to do the processing in here, but we're going to actually use a text editor to play around with our code, and I'm going to snap this window to the left and I'm going to zoom out of it simply because we're just going to use it as a staging area. All right. So XML is pretty cool. It's just like HTML, is a markup language. I shouldn't say just like HTML. It's similar to HTML, that is a markup language, and some of the syntax might look very familiar. So in it, you can define your element types, and from there, you could create your objects. So let's play around with it and see what we get. So I am going to create an element. I'm going to convert my indents to spaces. So that it's all pretty and we can see where we're doing. So I am going to define an element type of type foo maybe, and I'll tell it that I can put any type of data. As you can see, I have PC data here. I'm just going to put any for my foo objects. So I can delete this, and I can have foo. In foo, maybe I can have author, and in my author and I'll end my foo. Maybe author should be enjoying. I'll just do my own name for now. I'm going to paste that in here, and convert that. You can see that it just creates a JSON object for us and a nested object foo. Let's see, I can also add text maybe. So if I copy this over, you'll notice something like this, and let me just add a copyright. We'll add a copyright element. I'll just call it copy, and I'll just say any data can go in there. There's a terrible practice. We're just trying to learn. So if I've copy in here, and I can say, "Copyright 2018." Let's copy this over again and see what it looks like in JSON. Perfect. Now, let's make a root object. So I'm going to say ELEMENT root ANY, and I'm going to put root here and my root here, and so just pretty and readable. I'm going to Indent this. Let's test that out to make sure I didn't break anything. Perfect. So we have a root object. The root object has foo, and my intent is to say, the root object is our most outer object. Think of it like an array and in it, we're going to have a bunch of foo objects. I'm going to re-indent this code so that it looks pretty. So this is where we ended up with. So now, we have a root object and in it, we have two different foo objects. Let's test that out. I'll make sure I don't break anything. Perfect. So works perfectly fine as expected. So as you can see, I'm trying to create a use case to demonstrate one of the features of XML, and that is to be able to reference data. So say in the year 2019, I needed to come here. Instead of doing search and replace on copyright 2019, I can make my job a little bit easier, and define my own entity, and simply replace with it the copyright dates. So I'm just going to say date, I'll call a date, and then maybe I'll just say, copyright 2018. The idea behind this is so that I don't have to replace every single one of these every single year or I can simply reference to a date. I can do that by going and date which is what I named my object up here. Semicolon. So I'm just going to paste that in here. Now, the expectation is going from the previous one where I actually had written copyright 2018 in every single one of the copy objects which printed it out for me. I want the same end result so that my JSON object should look the same. But my XML object looks like this. So let's try that out. So we get the same end result. So basically, what this XML Parser is doing is it's replacing in my root object, in my foo object, the copyright date with whatever I reference there. Now technically, I could also reference things on my file system. So wherever this XML Parser is sitting, I could reference that object on the file system, and I don't have the facilities to demonstrate that here, but we're going to do that in WebGoat on the next video.