Security

XML External Entity (XXE) injection exploits applications that parse XML input without disabling external entity resolution. If the XML parser is misconfigured (which many are by default), an attacker can define custom entities that read local files, make network requests, or cause denial of service. These payloads are for authorized security testing only. What is XXE? When an XML parser processes a document, it can resolve entities defined in the DOCTYPE declaration. External entities use the SYSTEM keyword to reference files or URLs. If the parser resolves these without restriction, the attacker controls what the server reads and where it sends data. ...

Content Security Policy (CSP) is a browser security mechanism that controls which resources a web page is allowed to load. By declaring a policy via HTTP header, you tell the browser exactly which scripts, styles, images, fonts, and connections are permitted. Anything not explicitly allowed is blocked. CSP is one of the most effective defenses against Cross-Site Scripting (XSS) and data injection attacks. How CSP Works CSP is delivered as an HTTP response header: ...