nerdexam
(ISC)2

CISSP · Question #379

Which of the following is the PRIMARY risk associated with Extensible Markup Language (XML) applications?

The correct answer is D. Potential sensitive data leakage.. The primary risk in XML applications is the potential for sensitive data leakage through vulnerabilities such as XML External Entity (XXE) injection, which can expose internal files and system data.

Submitted by zhang_li· Mar 5, 2026Software Development Security

Question

Which of the following is the PRIMARY risk associated with Extensible Markup Language (XML) applications?

Options

  • AUsers can manipulate the code.
  • BThe stack data structure cannot be replicated.
  • CThe stack data structure is repetitive.
  • DPotential sensitive data leakage.

How the community answered

(39 responses)
  • A
    3% (1)
  • B
    8% (3)
  • C
    18% (7)
  • D
    72% (28)

Why each option

The primary risk in XML applications is the potential for sensitive data leakage through vulnerabilities such as XML External Entity (XXE) injection, which can expose internal files and system data.

AUsers can manipulate the code.

While input manipulation is a general web application concern, it is not specific to XML's primary risk; XXE and data leakage are the well-established, XML-specific primary threats.

BThe stack data structure cannot be replicated.

The stack data structure's replicability is unrelated to XML security risks; XML uses a tree-based hierarchical structure, not a stack, and this is not a recognized XML vulnerability.

CThe stack data structure is repetitive.

Repetitiveness of a stack data structure is not a valid XML security concern and does not represent any recognized vulnerability or risk associated with XML applications.

DPotential sensitive data leakage.Correct

XML applications are vulnerable to attacks like XML External Entity (XXE) injection, where malicious XML input references external entities to read sensitive files (e.g., /etc/passwd), expose internal network resources, or exfiltrate data. Additionally, verbose XML error messages and improper schema validation can inadvertently reveal sensitive system or application information, making data leakage the primary security concern.

Concept tested: XML security risks and sensitive data leakage

Source: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Topics

#XML security#Data leakage#Application security#Input validation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice