Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Intigriti Profile picture
@intigriti
Aug 11, 2023 โ€ข 9 tweets โ€ข 3 min read โ€ข Read on X
Scrolly
XXE exploitation ๐Ÿ‘‡๏ธ Image
Today, we will cover how you can successfully exploit XXE vulnerabilities

If you aren't familiar with the concepts of XXE yet...

This thread is made just for you! ๐Ÿ‘‡๏ธ
1โƒฃ Basic exploitation via XML Entities

Let's start off with the most basic example

A web app that queries the backend to retrieve your previously sent messages Image
To test if this feature is vulnerable to XXE, we could try and retrieve a local file

To do so, we'd have to add the XML entity definition ourselves: Image
Afterwards, include your entity in the field and send the request

The response should contain the contents of the local file "/etc/passwd" Image
But we can also take the same approach to request an internal or external resource and escalate this into an SSRF vulnerability! Image
2โƒฃ Exploitation via OOB technique

This exploitation technique involves us hosting a DTD file and referencing it in our payload

The XML parser will then parse our malicious XML data and retrieve the external DTD
That DTD file contains our payload

And just as before, we can send our request and retrieve the contents of a local file for example!
Image
Image
We hope you've learned something new from this thread on XXE exploitation:

If you have enjoyed this thread:
1. Follow us @INTIGRITI for more of these threads ๐Ÿ›๏ธ
2. Retweet the first Tweet to share it with your friends ๐Ÿ’™๏ธ

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with Intigriti

Intigriti Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @intigriti

Intigriti Profile picture
Jul 4
Do you want to find more vulnerabilities with recon? ๐Ÿค‘

Open this thread (step-by-step guide)! ๐Ÿงต ๐Ÿ‘‡ Image
Before we dive in, let's first cover what recon (short for 'reconnaissance') is.

Recon is the first crucial phase of any engagement and it involves mapping out (sub)domains, IP ranges, technologies and services, as well as any other publicly accessible information through several techniques
Bug bounty hunters who spend time performing reconnaissance, are almost always rewarded well for their efforts as they often come across exposed assets or hosts that have never been tested before ๐Ÿค‘

Let's now dive deeper into how you can find these untested assets to find more vulnerabilities! ๐Ÿ‘‡
Read 11 tweets
Intigriti Profile picture
May 30
12 API hacking bug bounty tips you must try on your target! ๐Ÿ˜Ž

๐Ÿงต ๐Ÿ‘‡ Image
1๏ธโƒฃ Blind XSS via request headers

Applications log your data in various ways, including in insecure ways. Always test for blind XSS vulnerabilities by injecting your payload in common request headers, such as:
โ€ข Referrer
โ€ข X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Ip, Host (in case of a reverse proxy)
โ€ข User-Agent
โ€ข Etc.

Dive deeper into blind XSS:
intigriti.com/researchers/blโ€ฆImage
2๏ธโƒฃ Legacy API endpoints

Are your request paths prefixed with an "/api/v2"? Try testing legacy endpoints by:
โ€ข Replacing "/api/v2" with "/api/v1"
โ€ข Removing "/v2" altogether

Try similarly in case it's a subdomain: api-v2\.example\.com โ†’ api-v1\.example\.com or api\.example\.com
Read 14 tweets
Intigriti Profile picture
Mar 14
Master exploiting XXE vulnerabilities! ๐Ÿ˜Ž

A thread ๐Ÿงต ๐Ÿ‘‡ Image
XML eXternal Entity (XXE) injection is a vulnerability class that stems from inadequate user input validation during XML parsing, allowing attackers to take advantage of parser misconfigurations!

This often leads to local file read, server-side request forgery, and, in severe cases, even remote code execution!
However, XXE vulnerabilities are much harder to spot nowadays.

You must pay close attention to application components that might accept and process XML data, such as:

โ€ข Document converters (Word/Excel)
โ€ข SVG file processors
โ€ข RSS/Atom feed processors
โ€ข Importing features (accepting XML data)
Read 15 tweets
Intigriti Profile picture
Feb 15
Master hacking WordPress targets in one thread! ๐Ÿค‘

๐Ÿงต ๐Ÿ‘‡ Image
We've all come across a WordPress instance before...

It's a powerful content management system (CMS) that can be deployed for all sorts of use cases, from landing pages to blogs and e-commerce sites!
WordPress also provides support for plugins and themes allowing developers to further extend the CMS's capabilities!

Luckily for us, not every WordPress target deserves the same security attention, allowing security vulnerabilities to easily arise unnoticed!
Read 14 tweets
Intigriti Profile picture
Dec 27, 2024
Want to master 2FA bypassing? ๐Ÿค‘

Let's look at several possible ways to bypass this 2FA screen! ๐Ÿ‘‡ Image
2-Factor authentication (2FA) vulnerabilities arise when the implementation of this security layer is weak or contains logic errors

Bypassing 2FA can give us unauthorized access to applications, user accounts, etc.

For that reason, you should never neglect the impact of 2FA bypasses!
Let's dive into some methods to help you find and exploit simple as well as advanced multi-factor authentication vulnerabilities! ๐Ÿ˜Ž
Read 10 tweets
Intigriti Profile picture
Sep 13, 2024
Want to master AWS S3 hacking? ๐Ÿค‘

This thread is for you! ๐Ÿงต ๐Ÿ‘‡ Image
AWS S3 (Simple Storage Service) buckets are a popular storage service often used by software companies to store data.

This is often sensitive data (such as receipts, invoices, etc.) but it can also be used to store public images such as profile pictures for example!
AWS S3 buckets are protected by Access Control Lists (ACLs), a set of rules that admins or developers declare to allow or disallow access

When these ACLs are incorrectly configured, they can open up access to unauthorized users

In this thread, we will cover a few commonly found security misconfigurations that can often lead to data leaks!
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(