Despite the fact that attacks against XML parsers have been well known for ages, according to our experience, they still don't get the attention they deserve.
even more strongly to XML-based file formats that do not have .xml filename
extension - people simply don't know they are dealing with XML files.
One exception is SVG. Everybody knows it's XML so software and libraries dealing with
this format tend to utilize countermeasures against XML attacks. But, for example, the
GPX and KML formats used by GPS software and sport trackers, the CML used for molecule
modelling in chemistry and pharmaceutical research, other file formats used for various
scientific purposes (MathML, LandXML, GML), the obIx protocol used for the communication
between sensors and controllers in smart houses are all XML-based formats, and many
software dealing with them are vulnerable to XML attacks. In our presentation we
demonstrate the risks of so-called XEE attacks and show some countermeasures.