https://www.secdev.uk/blog/tags/cwe-611/ Recent content in CWE-611 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 31 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-31-xxe-attacks/ Sat, 31 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-31-xxe-attacks/ <p>XML External Entity injection is one of those vulnerabilities that fascinated me the more I dug into it. The core issue is that the XML spec supports external entities, a feature that lets XML documents pull in content from external sources, and most parsers enable this by default. When an app parses untrusted XML without disabling that feature, an attacker can read arbitrary files off the server, perform SSRF, and sometimes even get remote code execution. What surprised me most when researching this was how straightforward the exploitation is compared to how long these bugs survive in production, the attack payloads are simple, but the parser defaults are so permissive that developers often have no idea the risk exists.</p> https://www.secdev.uk/blog/technology/2025-03-29-security-misconfiguration/ Sat, 29 Mar 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-03-29-security-misconfiguration/ <p>Security misconfiguration is the vulnerability class that really drove home for me why secure defaults matter more than secure documentation. OWASP A05 covers the gap between what a framework <em>can</em> do securely and how developers actually configure it. Debug mode left on in production. CORS wide open. XML parsers that resolve external entities. Settings endpoints with no authentication. These aren&rsquo;t coding mistakes, they&rsquo;re configuration mistakes, and they show up everywhere. In this post I&rsquo;ll walk through Python, Java, Go, and JavaScript examples covering CWE-16 (Improper Configuration) and CWE-611 (XML External Entity Processing), from the flags that any reviewer would catch to the subtle combinations that can survive months in production.</p>