From eb75a7e30454e85da8b28e2ced63e70c665a9733 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=83=A0=E3=83=8F=E3=83=B3=E3=83=9E=E3=83=89?=
 <u9cc85@gmail.com>
Date: Fri, 4 Dec 2020 05:16:37 +0300
Subject: [PATCH] XXE WAF Bypass Added

---
 XXE Injection/README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 7c8523c..44fd88d 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -31,6 +31,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
   - [XXE inside SOAP](#xxe-inside-soap)
   - [XXE inside DOCX file](#xxe-inside-docx-file)
   - [XXE inside XLSX file](#xxe-inside-xlsx-file)
+- [XXE WAF Bypass via convert character encoding](#xxe-waf-bypass-via-convert-character-encoding)
 
 ## Tools
 
@@ -507,6 +508,17 @@ updating: xl/_rels/workbook.xml.rels (deflated 66%)
 updating: xl/sharedStrings.xml (deflated 17%)
 ```
 
+### XXE WAF Bypass via convert character encoding
+
+In XXE WAFs, DTD Prolog are usually blacklisted BUT not all WAFs blacklist the UTF-16 character encoding<br><br>
+`All XML processors must accept the UTF-8 and UTF-16 encodings of Unicode` 
+-- https://www.w3.org/XML/xml-V10-4e-errata#E11
+<br><br>
+we can convert the character encoding to `UTF-16` using [iconv](https://man7.org/linux/man-pages/man1/iconv.1.html) to bypass the XXE WAF:-<br>
+```bash
+cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
+```
+
 
 ## References