XML External Entities (XXE) Explained
Рет қаралды 153,422
Күн бұрын#WebSecurity #XXE
A video on Exploiting XML parsers, specifically on XML External Entity attacks.
🔗 Links
John's channel : / rootofthenull
Stok's video on OOB XXE via file uploads : • A $7.500 BUG BOUNTY Bu...
Ippsec's Fulcrum walkthrough : • HackTheBox - Fulcrum
Nicolas Grégoire's works : www.agarri.fr/en/
Exploiting XXE with local DTD files : mohemiv.com/all/exploiting-xx...
SPONSORED BY INTIGRITI - intigriti.com
🎵 Track: Warriyo - Mortals (feat. Laura Brehm)
NCS link: • Warriyo - Mortals (fea...
#WebSecurity #XXE #CTF
@iamwaseem99 4 жыл бұрын
4:12 "S" in XML stands for "Security"....LOL
@ari_archer 3 жыл бұрын
that's the point hah
@ShawSumma 3 жыл бұрын
SGML?
@cyberpro151 2 жыл бұрын
are you a bug bounty hunter?
@TryX10 5 жыл бұрын
Even though most of the time I don't completely understand every bit, I really like your editing and presentation of these (for me) 'complex' topics! Keep it up! You're doing great man!
@youssefighzane1668 5 жыл бұрын
Well, well, well !! That's more than AMAAAAAAAAAAAZING !!! I was unable to understand XML and XXE as well until I watch your video. Thank you so much !! RECOMMENDED FOR ALL #BUG_BOUNTY_HUNTERS
@InfiniteLogins 4 жыл бұрын
I really appreciate your video editing techniques. Make the content easy to follow and engaging.
@dxsp1d3r 5 жыл бұрын
Why didnt i find this before Awesome stuff man Thank you I came to know about this channel from stoks tweets xD
@Yaxqb 2 жыл бұрын
The framework for explaining stuff is amazing. About every other video has a ncat -l 1337 command in it, and it has become a standard practice for me in my own work to use that command. The pwnfunction toolbox feels very versatile👍 Really really nice!
@reema6306 Жыл бұрын
I've spent a week learning XML and XXE, and your video just summarized 80% of what I learned. Great job!
@fmattia99 5 жыл бұрын
John's voice is equal to IppSec's voice, this blew my mind :D
@abdallahdamnat382 4 жыл бұрын
Fel
@markgentry8675 3 жыл бұрын
hahahaha not just me that got confused for a second
@Sercan_Yilmaz 3 жыл бұрын
He is ippsec ;) John Hammond
@thedude8503 3 жыл бұрын
I love this channel, the people in it and the people subscribed to it. Thank you for making it simple
@aniceguy2577 4 жыл бұрын
This is pure gold. Thx for the great content
@seewhatseeabc 4 жыл бұрын
Wow love this style. By the way thanks for the super clear explanation. Especially with the examples, super good clear cut examples.
@domss1174 5 жыл бұрын
Loving your channel man, keep up the good work!
@zanidd 5 жыл бұрын
I really like the style of your vids! Keep em coming
@abdelrhmanali2955 3 жыл бұрын
Your explanation is really AWESOME bro
@petervsjim Жыл бұрын
THanks for the awesome video and slides! Very clear and knowledgeable
@P4cm4n0x 2 жыл бұрын
Best explanation ever. Very very to the point. Thank you :)
@sakyb7 5 жыл бұрын
xxe is just a beginning this line with the background... goosebumps
@rhenaldodelfinugraha9694 4 жыл бұрын
Awesome explanation. It's easy to understand, Thankyou. Please make another cool videos
@TheZethera 3 жыл бұрын
I just have to say your opening and music are perfect 👌
@DeltaEchoVictor 3 жыл бұрын
It's name is mortals
@iDontProgramInCpp 3 жыл бұрын
3:56 diReRectly
@synthdog2819 3 жыл бұрын
17:06 willbewillbe
@HyderAli-hl8mw 3 жыл бұрын
Very informational for beginners. Thank you so much
@mikekittelberger7947 Жыл бұрын
omg, thank you. This video is so godd :)
@venkaraj 2 жыл бұрын
Such an insightful video. Thanks a ton
@FriedMonkey362 Ай бұрын
I have litterly never heard about this before, this is so cool, i almost tought it was an April fool's video for a second
@joshaprior3699 5 жыл бұрын
first GREAT CHANNEL
@tapank415 5 жыл бұрын
@// Anuj ó_ó
@pwndumb2903 4 жыл бұрын
Great Video. Thx for share your knowledge.
@rahulnair1923 Жыл бұрын
Loved the explanation !!!!!!!!!!🤩
@janithmalinga5765 2 жыл бұрын
Superb explanation
@AkashRaj-ui1pj 5 жыл бұрын
Your videos are a aaaaaaaaaamaaaaaazinggggg
@Hope-kf1nl 4 жыл бұрын
You're a hero! Thanks my man.
@hydr0nium_ 5 жыл бұрын
Never heared of that attack before the video. Soo wow amazing. If you think about it its quite simple actually. Btw is there a way of secure it easiely?
@carloszavaleta 5 жыл бұрын
Awesome content!
@anonymouseye4892 3 жыл бұрын
Nice explanation 🔥
@shrirangdiwakar 3 жыл бұрын
Great Explanation !
@medjassertoubib4467 2 жыл бұрын
great video . we look forward to new videos
@kinjalsangale1225 3 жыл бұрын
Please make more videos on different vulnerabilities... explainions are 👌
@devsingh6041 4 жыл бұрын
this video is sufficient to understand XXE. Thanks Pwn You Func well ;-)
@CosmoCopulates1 5 жыл бұрын
Dude, your videos are great! What do you use to create the animations?
@PwnFunction 4 жыл бұрын
Adobe animate boi.
@SatsJava 5 жыл бұрын
You deserved million subscriber Keep make more videos mate
@PwnFunction 5 жыл бұрын
Well that's a longgggggggggg way. Don't think I could ever hit such crazy numbers, If I hit 10k then I feel like I've accomplished something :) but thanks.
@0xExploitXpErtz Жыл бұрын
@@PwnFunction u will surely achieve it IA
@faizannehal1 3 жыл бұрын
This is the best video on XXE
@tanishqsachdev8388 4 жыл бұрын
Amazing video.
@emmanuelafolabi6847 5 жыл бұрын
Great videom your videos has been educative, can you make a video on based XSS?
@PwnFunction 4 жыл бұрын
Next one!
@eshaan7_ 5 жыл бұрын
What theme for VScode and terminal are u using? BTW Great video, thanks!
@PwnFunction 5 жыл бұрын
Monokai Pro Terminus - eugeny.github.io/terminus/
@ashleypursell9702 3 жыл бұрын
great video thanks so much
@muhammadadel9537 4 жыл бұрын
Super AWESOME!!
@huntit4578 3 жыл бұрын
What software do u use to make these slideshow or animation (Whatever) to explain these attacks in such a interesting way?
@tapank415 5 жыл бұрын
:) Amazing!
@heycherry100 5 жыл бұрын
very nice video.
@patrickslomian7423 3 жыл бұрын
Love your channel Bro !! So I ran into a failure with Dvwa in the section "file upload",I"ve tried to upload an file with the payload. It seems to me that the server (using docker) wont phrase an xml file, can that be true ? Im getting this error :" This XML file does not appear to have any style information associated with it. The document tree is shown below. " Or should I converte that to an html file ?
@nuridincersaygili Жыл бұрын
This is pure gold..
@neadlead2621 10 ай бұрын
thanks bro , I've one question at 18:05 why we need %start and %end why not changing them directely to the value
@Manabender 3 жыл бұрын
So how does one defend against this? Say I was running the server you were attacking and *didn't* want you reading /etc/passwd, but still wanted to retain as much (safe) functionality of the XML parser as possible. What would I do?
@aidenrhama9147 5 жыл бұрын
what software did you use to make this content ?
@prudhvidanyamraju8017 5 жыл бұрын
On a certain java server I’m able to retrieve the data of /sys/power/image_size (basically an number) using OOB xxe but I’m unable to retrieve contents of etc/passwd ; any thoughts?
@BALAKRISHNAN-pf1ol Жыл бұрын
Can you attatch a link to the xml parser you used in the video
@r4nd0m25 3 жыл бұрын
god level videos
@Pcpiee 5 жыл бұрын
What terminal do you use for the examples? it looks very nice. guessing its cygwin based by the looks of it
@PwnFunction 4 жыл бұрын
Terminus - eugeny.github.io/terminus/
@jasonmikinskiwallet4308 3 жыл бұрын
I love the Intro
@erdosamangeldin3105 2 жыл бұрын
& sign showing error while referencing an entity. I tried in ascii or hex too, it is not working. Is there any other ways to reference it?
@tekken-pakistan2718 4 жыл бұрын
damn boi, that outro tho!
@helloguy1179 2 жыл бұрын
What should I do if I have to configure a http request to get a file's information, but its content contains special character? We cannot use CDATA in a URL, right?
@SatriaAdyPradana 3 жыл бұрын
do you have git repo which collect the scripts and XML files used here?
@itizazadil9369 5 жыл бұрын
Thanks for the Vedio
@user-tz5rd3rt2s 5 жыл бұрын
Nice Stuff
@giospadaccini119 5 жыл бұрын
In Italy xml is use to send invoices to the IRS, and after few day it sand that to you client .... So this video reassuring me..
@tekken-pakistan2718 4 жыл бұрын
nice as always! Can you please share your terminal's configuration/name etc.? is it zsh with custom config? Thanks mch!
@PwnFunction 4 жыл бұрын
Terminal : eugeny.github.io/terminus/ Yes i'm using ohmyzsh (default theme : robbyrussell)
@aleksandar5323 2 жыл бұрын
How can I disable XML parser resources referencing on say an Apache Server? I don't want XML to be making any requests at all, either internal or God forbid accessing a 3rd party URL! I just want hard-coded data from it...
@user-xb9zg3fv9j 9 ай бұрын
hey hey hey sir please tell this theme of zsh. I tried searching all of them but i didn't find anyone like this please do tell.
@yeasirarafat4261 5 жыл бұрын
awesome
@Wikkido5000 2 жыл бұрын
do you have a similar video for JSON?
@Sparkette 3 жыл бұрын
Is it okay to use a '
@generalinformation3194 2 жыл бұрын
hello can i get the xmlsax_parser tool you use it in the video plz
@overgrowncarrot1 3 жыл бұрын
I like how John hammond says I have a small youtube channel lol
@xf4229 3 жыл бұрын
I am having issue accessing id_rsa in .ssh file. Is there any way to bypass it? The current issue is I/O warning: fail to load external entity.
@asjidkalam 4 жыл бұрын
is stok's video on OOB XXE private?
@aymanrbati531 2 жыл бұрын
why cant u declare the "send" entity directly in the external DTD ? why put it inside 'wrapper' ?
@anatolyrapoport2216 3 жыл бұрын
Nice tutorial!
@vijaykumar-hc6jz 4 жыл бұрын
Why DTD is so called ? It could have also been called Entity Defintition or something like that ? Any answer to this is appeciated.
@alexanderwu 4 ай бұрын
So... How do you defend against it?
@annomy1493 3 жыл бұрын
voice seems to be known. Is it john harmmond ???
@stefaunholland6642 2 жыл бұрын
The way you say "parameter" makes me think of a parking meter with a parachute falling out the sky - an American
@patricksteinmuller8084 Жыл бұрын
Tbh. I wonder why anyone would use DTD anyhow? The reason I am so fond of XML is the existence of XSD and XSLTs. A well defined XML is both human readible and machine readible. Can be validated against an XSD, can be transformed against an XSLT and have XSD, XSLT and both XML input and XML ouput validated against respective XSDs. This is not something that we have for json or yaml. I was to lazy to look ... I somehow suspect that we have similar attack vectors in the X* Suite.
@zanidd 5 жыл бұрын
I'd like to do a similar style collab, if you're into it send me an email!
@laurinneff4304 2 жыл бұрын
It would've been great if you had included a segment on how to protect against these attacks
@Morgan_iv Жыл бұрын
Just don't use XML
@coastaldemigod 2 жыл бұрын
my engineering professor taught the first 10 mins. of this video in 1 month
@d86123 3 жыл бұрын
那麼...問題是,如何防止XXE注入攻擊呢?
@ca7986 4 жыл бұрын
♥️
@acunsumageka3949 4 жыл бұрын
tools for xml parser ?
@tuttifrutti4184 5 ай бұрын
holy shit this is so hard to understand, but I suppose it's supposed to be this way unless you actually practise using XML for quite some time
@IBMboy 5 жыл бұрын
9:47 My name is jeff. Nice meme
@puravida012 5 жыл бұрын
this is soo old, HTB show something like this almost a year ago
@PwnFunction 5 жыл бұрын
Yeah it's very old, you can even find stuff about it, way back in 2002. www.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0
@eduardoandrescastilloperer4810 6 ай бұрын
OMG why was that even encoded into the standard!!!
@lexibigcheese 2 жыл бұрын
so that's why there's a doctype html. that's what it's for!
@JD-mz1rl 3 жыл бұрын
I don't get it. Unless the web server is running with root permissions, what useful files are you going to get out of it?
@Aidiakapi 3 жыл бұрын
It's not just for web servers, it can compromise clients too. Getting someone to open a document and extract information. As for what useful files, plenty of web servers will have access to many useful files. Configuration files, uploaded artifacts, etc.
@ctfs09 2 жыл бұрын
there is something you need to explore more! You don't have to be root, its not about editing , it is just exfiltrating and you don't have to be root! Try cat /etc/passwd without being root and even you can see that.
@hellb0y794 2 жыл бұрын
your sound like @liveoverflow, are you his brother? 😆
@uplink-on-yt 2 жыл бұрын
My reaction (comment, not video): eyes open wide, mouth covered with hand, deep breath - AKA "Surprised Pikachu". This is possibly one ofvthe most evil things I've ever seen (yeah... I'm pretty innocent)
@gcm4312 4 жыл бұрын
can you link that python xml parser?
@PwnFunction 4 жыл бұрын
I don't have the code with me, but I hope this can be helpful - docs.python.org/3/library/xml.sax.reader.html
@mylyf6684 5 жыл бұрын
Hai bro will you please share that python script for parsing XML. please...
@PwnFunction 4 жыл бұрын
I don't have the code, but it was a simple sax xml parser written in python - docs.python.org/3/library/xml.sax.reader.html
@kallikantzaros 2 жыл бұрын
from lxml import etree parser = etree.XMLParser(load_dtd=True, no_network=False) tree = etree.parse("main_attack.xml", parser=parser) etree.dump(tree.getroot())
@arenddejong6609 5 жыл бұрын
LiveOverflow JohnHammond 2.0
@adityashrest6334 4 жыл бұрын
what is inside xxe praser python
@PwnFunction 4 жыл бұрын
I don't have the code, but I think it was just reading the XML file and spitting out the output(after processing). And I used sax - docs.python.org/3/library/xml.sax.reader.html
What the Meowk!
Рет қаралды 4,3 МЛН