XXE INJECTION Deep Dive by @0xTib3rius
▬▬▬▬▬▬ Abstract & Bio 📝 ▬▬▬▬▬▬
In this session, Tib3rius performs a deep dive into the crazy web app vulnerability that is XML External Entity (XXE) Injection, explaining how and why it works, with live demos of several Portswigger Web Academy labs.
At the end of the session, he does a walkthrough of the Aragog HTB box, which uses XXE as part of its initial exploit vector.
Tib3rius (tib3rius.com)
Twitter: / 0xtib3rius
Hacker @WhiteOakSec | AutoRecon Dev | YouTube: http://is.gd/0o0GDW |
Twitch: http://is.gd/aPafUV | Udemy: http://is.gd/Nhceps | Discord: http://is.gd/5wdfRz (he/him)
Tib3rius is a penetration tester with over 10 years of experience testing and breaking web applications. Late in his career, he decided to pursue the OSCP certification, and in the process helped build an online community in the InfoSec Prep Discord server, wrote a popular OSCP tool called AutoRecon, and helped thousands of students learn Privilege Escalation through his two Udemy courses. In his spare time, he enjoys gaming with friends and binging as many TV shows as he can.
▬▬▬▬▬▬ T I M E S T A M P S ⏰ ▬▬▬▬▬▬
00:00:35 Introduction of our guest Tib3rius by Rana Khalil
00:01:50 Tib3rius' intro
00:04:20 Lab 1: Exploiting XXE using external entities to retrieve files
00:18:16 Lab 2: Exploiting blind XXE to exfiltrate data using a malicious external DTD
00:30:14 Lab 3: Exploiting blind XXE to retrieve data via error messages
00:38:26 Lab 4: ARAGOG (user flag)
▬▬▬▬▬▬ Useful Links 🛠 ▬▬▬▬▬▬
Slides
tib3rius.com/docs/XXE.pdf
Web Security Academy
https://portswigger.net/web-security (Sign Up)
Web Security Academy Labs
https://portswigger.net/web-security/...
https://portswigger.net/web-security/...
https://portswigger.net/web-security/...
Burp Community Edition
https://portswigger.net/burp/communit...
▬▬▬▬▬▬ Hack The Box Ottawa 🛠 ▬▬▬▬▬▬
Meetup.com: https://www.meetup.com/Hack-The-Box-M...
Twitter: / hackthebox_yow
Watch video XXE INJECTION Deep Dive by @0xTib3rius online without registration, duration hours minute second in high quality. This video was added by user Hack The Box Ottawa - Meetup 27 March 2021, don't forget to share it with your friends and acquaintances, it has been viewed on our site 3,695 once and liked it 142 people.