0 of 2 people found the following review helpful
XML External Entity Attacks are nicely described on page 283, but the authors seemed to have missed the point.
For a successful XXE attack, you need the service to respond with a document containing the user-supplied input.
The example given is just too simplistic. When adding an unexpected <foo> element to the request, there is no way the <foo> element will be included in the response.