Even though most of the time I don't completely understand every bit, I really like your editing and presentation of these (for me) 'complex' topics! Keep it up! You're doing great man!
Well, well, well !! That's more than AMAAAAAAAAAAAZING !!! I was unable to understand XML and XXE as well until I watch your video. Thank you so much !! RECOMMENDED FOR ALL #BUG_BOUNTY_HUNTERS
The framework for explaining stuff is amazing. About every other video has a ncat -l 1337 command in it, and it has become a standard practice for me in my own work to use that command. The pwnfunction toolbox feels very versatile👍 Really really nice!
Tbh. I wonder why anyone would use DTD anyhow? The reason I am so fond of XML is the existence of XSD and XSLTs. A well defined XML is both human readible and machine readible. Can be validated against an XSD, can be transformed against an XSLT and have XSD, XSLT and both XML input and XML ouput validated against respective XSDs. This is not something that we have for json or yaml. I was to lazy to look ... I somehow suspect that we have similar attack vectors in the X* Suite.
Well that's a longgggggggggg way. Don't think I could ever hit such crazy numbers, If I hit 10k then I feel like I've accomplished something :) but thanks.
Never heared of that attack before the video. Soo wow amazing. If you think about it its quite simple actually. Btw is there a way of secure it easiely?
My reaction (comment, not video): eyes open wide, mouth covered with hand, deep breath - AKA "Surprised Pikachu". This is possibly one ofvthe most evil things I've ever seen (yeah... I'm pretty innocent)
Love your channel Bro !! So I ran into a failure with Dvwa in the section "file upload",I"ve tried to upload an file with the payload. It seems to me that the server (using docker) wont phrase an xml file, can that be true ? Im getting this error :" This XML file does not appear to have any style information associated with it. The document tree is shown below. " Or should I converte that to an html file ?
2:42, already think of JSON as easier, just use a string and escape the quote characters **Edit:** I also prefer lua when I need more than just data capabilities
How can I disable XML parser resources referencing on say an Apache Server? I don't want XML to be making any requests at all, either internal or God forbid accessing a 3rd party URL! I just want hard-coded data from it...
What should I do if I have to configure a http request to get a file's information, but its content contains special character? We cannot use CDATA in a URL, right?
So how does one defend against this? Say I was running the server you were attacking and *didn't* want you reading /etc/passwd, but still wanted to retain as much (safe) functionality of the XML parser as possible. What would I do?
On a certain java server I’m able to retrieve the data of /sys/power/image_size (basically an number) using OOB xxe but I’m unable to retrieve contents of etc/passwd ; any thoughts?
Xml is so stupid, but maybe it's just that everything using xml is old and "legacy" and thus has a bad structure (or just one for internal us only) and it thus extremely frustrating. I am currently working on a 50k line xml, I don't use the dtds or any other of the extanal information in the document, but I clicked on some links and most of them are 404s at this point................ But hey its better than csv with sometimes quotes, sometimes not containing ~ seperated arrays, with inconsequent formating and id values