For a quick recap which attacks are possible, see our DTD Cheat Sheet post.
In this post, we present you the results in a nutshell.
The information presented here is based on this masterthesis which covers the respective results in greater detail.
We identified 16 test vectors, each testing a specific attack vector (e.g. XXE, various kinds of DoS, XXE parameter entity,...). We ran these tests against the default parser configuration and call these therefore core tests.
Additional tests are based on the same test vectors, however, we executed them against custom (modified) parser configurations, indicating the effect of specific features of a parser.
The complete test set is available on github.
Results We analyzed the following parsers and summarized the test results in Table 1. In addition, we show which attacks cannot be …