Which XML attack exploits external entities to read files or perform Denial of Service via XML Bombs?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the Security Operations Exam with targeted practice questions. Enhance your understanding with detailed explanations and tips to successfully pass your exam!

Multiple Choice

Which XML attack exploits external entities to read files or perform Denial of Service via XML Bombs?

Explanation:
This is about the XML External Entity (XXE) attack. When an XML parser is allowed to resolve external entities, an attacker can define entities that reference local files or remote resources. The parser then retrieves or expands those entities, potentially exposing sensitive data (like reading a file such as a system file) or performing actions on internal networks. The Denial of Service angle comes from a variant known as an XML Bomb or Billion Laughs, where nested entities expand into enormous amounts of data, exhausting CPU or memory and crashing the service. So the vulnerability described—reading files via external entity references and causing DoS through entity expansion—fits XXE. XSS targets client-side script execution on web pages, SQL Injection targets databases via malicious SQL, and XML Bombs alone describe the DoS technique rather than the broader external-entity vulnerability.

This is about the XML External Entity (XXE) attack. When an XML parser is allowed to resolve external entities, an attacker can define entities that reference local files or remote resources. The parser then retrieves or expands those entities, potentially exposing sensitive data (like reading a file such as a system file) or performing actions on internal networks. The Denial of Service angle comes from a variant known as an XML Bomb or Billion Laughs, where nested entities expand into enormous amounts of data, exhausting CPU or memory and crashing the service.

So the vulnerability described—reading files via external entity references and causing DoS through entity expansion—fits XXE. XSS targets client-side script execution on web pages, SQL Injection targets databases via malicious SQL, and XML Bombs alone describe the DoS technique rather than the broader external-entity vulnerability.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy