V5.5.2 "prevent XXE" vs "prevent XXE attack"

[elarlang]

V5.5.2

Current:

V5.5.2 Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XXE.

• "XXE" = "XML External Entity"
• "to prevent XXE" = "to prevent XML External Entity".

Should be "to prevent XML External Entity attack"

Proposal:

V5.5.2 Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attack.

[jmanico]

I'd push this live right away, good stuff - Jim

On 5/29/20 8:06 PM, Elar Lang wrote: V5.5.2 <https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention-requirements> Current: V5.5.2 Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent *XXE*. * "XXE" = "XML External Entity" * "to prevent XXE" = "to prevent XML External Entity". Should be "to prevent XML External Entity attack" Proposal: V5.5.2 Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent *XML External Entity (XXE) attack*. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#794>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEBYCIOEAHLZ32XWKA5CIDRUBEYNANCNFSM4NON5M5Q>.

-- Jim Manico Manicode Security https://www.manicode.com

[tghosth]

Nice, done