Articles / Blogs:
http://www.christian-schneider.net/GenericXxeDetection.html https://medium.com/@asif.baig330/lithium-community-platform-xxe-vulnerability-6454dd9377f8
https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870 https://blog.zsec.uk/out-of-band-xxe-2/
https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi
https://blog.netspi.com/playing-content-type-xxe-json-endpoints/
https://hawkinsecurity.com/2018/03/24/gaining-filesystem-access-via-blind-oob-xxe/
https://versprite.com/blog/xml-external-entity-xxe-processing/utm_content=73970973&utm_medium=social&utm_source=twitter
http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html
https://medium.com/@jonathanbouman/xxe-at-bol-com-7d331186de54
https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation
https://securityidiots.com/Web-Pentest/XXE/XXE-Cheat-Sheet-by-SecurityIdiots.html
https://www.exploit-db.com/docs/english/45374-xml-external-entity-injection---explanation-and-exploitation.pdf
https://2017.zeronights.org/wpcontent/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf
https://github.com/BuffaloWill/oxml_xxe
https://0xgaurang.medium.com/out-of-band-xxe-in-an-e-commerce-ios-app-e22981f7b59b
https://blog.cobalt.io/how-to-execute-an-xml-external-entity-injection-xxe-5d5c262d5b16
https://f4d3.io/xxe_wild/
https://github.com/GoSecure/dtd-finder/blob/698fd678f26395e1c7c097525f7182aecad0cd5f/list/xxe_payloads.md
https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html
https://www.youtube.com/watch?v=LZUlw8hHp44
https://faun.pub/xxe-attacks-750e91448e8f
https://estebancano.medium.com/unique-xxe-to-aws-keys-journey-afe678989b2b
https://smoggy-mozzarella-076.notion.site/XXE-9d5d3f12a5c4487e82fddf564d792fcd
https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe
Tools / Payloads:
Twitter:
https://twitter.com/huntmost/status/1216033868773580800
https://twitter.com/soaj1664ashar/status/1080877419723194370
https://twitter.com/honoki/status/1301092916551659522
https://twitter.com/Bugcrowd/status/1342184648856616972?s=20
https://twitter.com/harshbothra_/status/1350891025032646656?s=20
Last updated 3 years ago