CISSP · Question #379
Which of the following is the PRIMARY risk associated with Extensible Markup Language (XML) applications?
The correct answer is D. Potential sensitive data leakage.. The primary risk in XML applications is the potential for sensitive data leakage through vulnerabilities such as XML External Entity (XXE) injection, which can expose internal files and system data.
Question
Options
- AUsers can manipulate the code.
- BThe stack data structure cannot be replicated.
- CThe stack data structure is repetitive.
- DPotential sensitive data leakage.
How the community answered
(39 responses)- A3% (1)
- B8% (3)
- C18% (7)
- D72% (28)
Why each option
The primary risk in XML applications is the potential for sensitive data leakage through vulnerabilities such as XML External Entity (XXE) injection, which can expose internal files and system data.
While input manipulation is a general web application concern, it is not specific to XML's primary risk; XXE and data leakage are the well-established, XML-specific primary threats.
The stack data structure's replicability is unrelated to XML security risks; XML uses a tree-based hierarchical structure, not a stack, and this is not a recognized XML vulnerability.
Repetitiveness of a stack data structure is not a valid XML security concern and does not represent any recognized vulnerability or risk associated with XML applications.
XML applications are vulnerable to attacks like XML External Entity (XXE) injection, where malicious XML input references external entities to read sensitive files (e.g., /etc/passwd), expose internal network resources, or exfiltrate data. Additionally, verbose XML error messages and improper schema validation can inadvertently reveal sensitive system or application information, making data leakage the primary security concern.
Concept tested: XML security risks and sensitive data leakage
Source: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Topics
Community Discussion
No community discussion yet for this question.