Hey,
I wanted to raise a concern about the XML entity question from the Web Security exam (the one similar to the Billion Laughs attack).
In the question, entities like a0, a1, ..., a11 were defined recursively, but the final entity used was &a0; instead of &a11;. Based on that, I answered thinking the expansion wouldn't be too serious and not really cause a proper DoS and was a trick question.
However, I recently heard from a friend in a different group (building) that a correction was announced in their session saying it should actually be &a11;, not &a0;. That correction wasn’t mentioned in my exam room at all.
I just wanted to ask how this will be handled in grading since I answered based on the version I got (with &a0;). Would be unfair if the correction only applied to some groups.
Thanks!