XML is widely used in web applications. External entities are a feature in XML that allow inclusion of other documents. While external entities are pretty much a legacy feature, your XML parser probably supports them. This session will explore the possibilities of how XML External Entity Injection (XXE) could be used against a web application to steal data and affect confidentiality.