Software Security notes08 Oct 2014
XML Entity Expansion
Create a foo.txt file in your C: directory and try to parse the following XML. The result is what you call XML Entity Expansion vulnerability.
<!ENTITY fooFromFile SYSTEM "c:\foo.txt"> <!ENTITY first "hello"> <!ENTITY second " world"> <!ENTITY attack "&first; &second;"> ] > <statement>&fooFromFile; &attack;</statement>
Big Integer Arithmetic
Are you working with Big Integer arithmetic in C#?
Use Checked and Unchecked blocks to ensure there isn’t any security breach.
MSDN has a great explanation on these blocks: MSDN Checked – Unchecked blocks