Tradecraft Security Weekly Subscribe

Dissecting XXE Attacks – Tradecraft Security Weekly #19

September 25, 2017

When pentesting web services or an application that leverage XML files, XML External Entity (XXE) attacks are a great way to start. By injecting an XXE into a well crafted XML payload before it's sent to the server, a penetration tester can trick the parser into executing other actions that the developer never intended. This can lead to reading local files, server-side request forgeries (SSRF) or even gaining remote code execution (RCE). To help penetration testers, Beau Bullock (@dafthack) and Mike Felch (@ustayready) cover a few different methods to attack XML parsers in episode 19 of Tradecraft Security Weekly. Links: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

Full episode and show notes

Host

Paul Asadoorian

Paul Asadoorian

Founder at Security Weekly

https://securityweekly.com

Related

Security awareness

What We’ve Learned From Interviewing Cybercriminals – Adam Janofsky – ESW Vault

June 2, 2023

Check out this interview from the ESW VAULT, hand picked by main host Adrian Sanabria! This segment was originally published on October 21, 2021. The Record has published several interviews with cybercriminals, courtesy The Record's Russian-speaking analyst, Dmitry Smilyanets (https://therecord.media/author/dmitry-smilyanets). These interviews hav...

Career Ladders In Information Security – Marc French – BSW Vault

May 31, 2023

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on June 8, 2020. Marc French has more than 25 years of technology experience in engineering, operations, product management, and security. Prior to his current role at CISO at Product Security Group, Marc was the SVP & Chi...

Vulnerability management

Plain Text Keystrokes, WPBT, One Packet Exploits, & Sock Puppets! – PSW #787

May 31, 2023

In the security news: keystroke logs are stored in plain-text (and other atrocities in software used in schools), WPBT is the gift that keeps on giving and this time it's Gigabyte, PCI DSS 4.0 (drink!), immutable linux desktops, one packet exploits, neat linux malware, sock puppets, a must read new book about hacks, why SMB why?, boot girls, exposi...