Even though most of the time I don't completely understand every bit, I really like your editing and presentation of these (for me) 'complex' topics! Keep it up! You're doing great man!
The framework for explaining stuff is amazing. About every other video has a ncat -l 1337 command in it, and it has become a standard practice for me in my own work to use that command. The pwnfunction toolbox feels very versatile👍 Really really nice!
Well, well, well !! That's more than AMAAAAAAAAAAAZING !!! I was unable to understand XML and XXE as well until I watch your video. Thank you so much !! RECOMMENDED FOR ALL #BUG_BOUNTY_HUNTERS
Well that's a longgggggggggg way. Don't think I could ever hit such crazy numbers, If I hit 10k then I feel like I've accomplished something :) but thanks.
Tbh. I wonder why anyone would use DTD anyhow? The reason I am so fond of XML is the existence of XSD and XSLTs. A well defined XML is both human readible and machine readible. Can be validated against an XSD, can be transformed against an XSLT and have XSD, XSLT and both XML input and XML ouput validated against respective XSDs. This is not something that we have for json or yaml. I was to lazy to look ... I somehow suspect that we have similar attack vectors in the X* Suite.
Never heared of that attack before the video. Soo wow amazing. If you think about it its quite simple actually. Btw is there a way of secure it easiely?
How can I disable XML parser resources referencing on say an Apache Server? I don't want XML to be making any requests at all, either internal or God forbid accessing a 3rd party URL! I just want hard-coded data from it...
Love your channel Bro !! So I ran into a failure with Dvwa in the section "file upload",I"ve tried to upload an file with the payload. It seems to me that the server (using docker) wont phrase an xml file, can that be true ? Im getting this error :" This XML file does not appear to have any style information associated with it. The document tree is shown below. " Or should I converte that to an html file ?
What should I do if I have to configure a http request to get a file's information, but its content contains special character? We cannot use CDATA in a URL, right?
So how does one defend against this? Say I was running the server you were attacking and *didn't* want you reading /etc/passwd, but still wanted to retain as much (safe) functionality of the XML parser as possible. What would I do?
On a certain java server I’m able to retrieve the data of /sys/power/image_size (basically an number) using OOB xxe but I’m unable to retrieve contents of etc/passwd ; any thoughts?
I get lost at 15:17. Who is responsible for doing the replacements? If it is attacker.com's server it should have the passwords of attacker in $CONTENTS_OF_PASSWD, and if s/he serves it as raw then the other (pwn.com?) should be responsible for the replacement, then it shouldn't work because you can't have a '%' inside an entity, just as before.
The replacements that I've show in the video is just so people can understand it a bit better. During the time of xml parsing on a vulnerable application, entities are replaced like I've talked about. The code @ 15:17 is not accurate, it's more like a parsed representation, so you might wanna see the demo bit 15:38 to understand it a bit more with the real code.
2:42, already think of JSON as easier, just use a string and escape the quote characters **Edit:** I also prefer lua when I need more than just data capabilities
It's not just for web servers, it can compromise clients too. Getting someone to open a document and extract information. As for what useful files, plenty of web servers will have access to many useful files. Configuration files, uploaded artifacts, etc.
there is something you need to explore more! You don't have to be root, its not about editing , it is just exfiltrating and you don't have to be root! Try cat /etc/passwd without being root and even you can see that.
My reaction (comment, not video): eyes open wide, mouth covered with hand, deep breath - AKA "Surprised Pikachu". This is possibly one ofvthe most evil things I've ever seen (yeah... I'm pretty innocent)
Xml is so stupid, but maybe it's just that everything using xml is old and "legacy" and thus has a bad structure (or just one for internal us only) and it thus extremely frustrating. I am currently working on a 50k line xml, I don't use the dtds or any other of the extanal information in the document, but I clicked on some links and most of them are 404s at this point................ But hey its better than csv with sometimes quotes, sometimes not containing ~ seperated arrays, with inconsequent formating and id values
4:12 "S" in XML stands for "Security"....LOL
that's the point hah
SGML?
are you a bug bounty hunter?
I've spent a week learning XML and XXE, and your video just summarized 80% of what I learned. Great job!
Even though most of the time I don't completely understand every bit, I really like your editing and presentation of these (for me) 'complex' topics! Keep it up! You're doing great man!
The framework for explaining stuff is amazing. About every other video has a ncat -l 1337 command in it, and it has become a standard practice for me in my own work to use that command. The pwnfunction toolbox feels very versatile👍 Really really nice!
This is pure gold. Thx for the great content
I really appreciate your video editing techniques. Make the content easy to follow and engaging.
I really like the style of your vids! Keep em coming
Well, well, well !! That's more than AMAAAAAAAAAAAZING !!!
I was unable to understand XML and XXE as well until I watch your video.
Thank you so much !!
RECOMMENDED FOR ALL #BUG_BOUNTY_HUNTERS
I love this channel, the people in it and the people subscribed to it. Thank you for making it simple
Why didnt i find this before
Awesome stuff man
Thank you
I came to know about this channel from stoks tweets xD
11:45 It's really crystal clear to explain Blind XXE in this way! Thankssss!! ❤
John's voice is equal to IppSec's voice, this blew my mind :D
Fel
hahahaha not just me that got confused for a second
He is ippsec ;) John Hammond
I just have to say your opening and music are perfect 👌
It's name is mortals
Best explanation ever. Very very to the point. Thank you :)
THanks for the awesome video and slides! Very clear and knowledgeable
xxe is just a beginning this line with the background... goosebumps
Your explanation is really AWESOME bro
first
GREAT CHANNEL
@// Anuj ó_ó
I have litterly never heard about this before, this is so cool, i almost tought it was an April fool's video for a second
Wow love this style. By the way thanks for the super clear explanation. Especially with the examples, super good clear cut examples.
Loving your channel man, keep up the good work!
omg, thank you. This video is so godd :)
Loved the explanation !!!!!!!!!!🤩
Such an insightful video. Thanks a ton
I like how John hammond says I have a small youtube channel lol
Very informational for beginners. Thank you so much
Awesome explanation. It's easy to understand, Thankyou. Please make another cool videos
This is the best video on XXE
This is pure gold..
You're a hero! Thanks my man.
Nice explanation 🔥
Great Video. Thx for share your knowledge.
great video . we look forward to new videos
You deserved million subscriber
Keep make more videos mate
Well that's a longgggggggggg way. Don't think I could ever hit such crazy numbers, If I hit 10k then I feel like I've accomplished something :) but thanks.
@@PwnFunction u will surely achieve it IA
Superb explanation
Great Explanation !
thanks bro , I've one question at 18:05 why we need %start and %end why not changing them directely to the value
Please make more videos on different vulnerabilities... explainions are 👌
Tbh. I wonder why anyone would use DTD anyhow? The reason I am so fond of XML is the existence of XSD and XSLTs. A well defined XML is both human readible and machine readible. Can be validated against an XSD, can be transformed against an XSLT and have XSD, XSLT and both XML input and XML ouput validated against respective XSDs. This is not something that we have for json or yaml. I was to lazy to look ... I somehow suspect that we have similar attack vectors in the X* Suite.
this video is sufficient to understand XXE. Thanks Pwn You Func well ;-)
Awesome content!
Your videos are a aaaaaaaaaamaaaaaazinggggg
3:56 diReRectly
17:06 willbewillbe
Amazing video.
Super AWESOME!!
Why DTD is so called ? It could have also been called Entity Defintition or something like that ? Any answer to this is appeciated.
In Italy xml is use to send invoices to the IRS, and after few day it sand that to you client .... So this video reassuring me..
great video thanks so much
Great videom your videos has been educative, can you make a video on based XSS?
Next one!
very nice video.
Never heared of that attack before the video. Soo wow amazing. If you think about it its quite simple actually. Btw is there a way of secure it easiely?
I love the Intro
Can you attatch a link to the xml parser you used in the video
What software do u use to make these slideshow or animation (Whatever) to explain these attacks in such a interesting way?
How can I disable XML parser resources referencing on say an Apache Server? I don't want XML to be making any requests at all, either internal or God forbid accessing a 3rd party URL! I just want hard-coded data from it...
Love your channel Bro !!
So I ran into a failure with Dvwa in the section "file upload",I"ve tried to upload an file with the payload.
It seems to me that the server (using docker) wont phrase an xml file, can that be true ?
Im getting this error :" This XML file does not appear to have any style information associated with it. The document tree is shown below.
"
Or should I converte that to an html file ?
What theme for VScode and terminal are u using? BTW Great video, thanks!
Monokai Pro
Terminus - eugeny.github.io/terminus/
voice seems to be known. Is it john harmmond ???
What should I do if I have to configure a http request to get a file's information, but its content contains special character? We cannot use CDATA in a URL, right?
god level videos
why cant u declare the "send" entity directly in the external DTD ? why put it inside 'wrapper' ?
So how does one defend against this? Say I was running the server you were attacking and *didn't* want you reading /etc/passwd, but still wanted to retain as much (safe) functionality of the XML parser as possible. What would I do?
Dude, your videos are great! What do you use to create the animations?
Adobe animate boi.
Is it okay to use a '
What terminal do you use for the examples? it looks very nice. guessing its cygwin based by the looks of it
Terminus - eugeny.github.io/terminus/
what software did you use to make this content ?
& sign showing error while referencing an entity. I tried in ascii or hex too, it is not working. Is there any other ways to reference it?
On a certain java server I’m able to retrieve the data of /sys/power/image_size (basically an number) using OOB xxe but I’m unable to retrieve contents of etc/passwd ; any thoughts?
I am having issue accessing id_rsa in .ssh file. Is there any way to bypass it? The current issue is I/O warning: fail to load external entity.
my engineering professor taught the first 10 mins. of this video in 1 month
do you have a similar video for JSON?
do you have git repo which collect the scripts and XML files used here?
is stok's video on OOB XXE private?
The way you say "parameter" makes me think of a parking meter with a parachute falling out the sky - an American
hey hey hey sir please tell this theme of zsh. I tried searching all of them but i didn't find anyone like this please do tell.
Nice Stuff
:) Amazing!
Thanks for the Vedio
It would've been great if you had included a segment on how to protect against these attacks
Just don't use XML
So... How do you defend against it?
I get lost at 15:17. Who is responsible for doing the replacements? If it is attacker.com's server it should have the passwords of attacker in $CONTENTS_OF_PASSWD, and if s/he serves it as raw then the other (pwn.com?) should be responsible for the replacement, then it shouldn't work because you can't have a '%' inside an entity, just as before.
The replacements that I've show in the video is just so people can understand it a bit better. During the time of xml parsing on a vulnerable application, entities are replaced like I've talked about. The code @ 15:17 is not accurate, it's more like a parsed representation, so you might wanna see the demo bit 15:38 to understand it a bit more with the real code.
2:42, already think of JSON as easier, just use a string and escape the quote characters
**Edit:** I also prefer lua when I need more than just data capabilities
I don't get it. Unless the web server is running with root permissions, what useful files are you going to get out of it?
It's not just for web servers, it can compromise clients too. Getting someone to open a document and extract information.
As for what useful files, plenty of web servers will have access to many useful files. Configuration files, uploaded artifacts, etc.
there is something you need to explore more! You don't have to be root, its not about editing , it is just exfiltrating and you don't have to be root! Try cat /etc/passwd without being root and even you can see that.
Nice tutorial!
hello can i get the xmlsax_parser tool you use it in the video plz
awesome
holy shit this is so hard to understand, but I suppose it's supposed to be this way unless you actually practise using XML for quite some time
your sound like @liveoverflow, are you his brother? 😆
那麼...問題是,如何防止XXE注入攻擊呢?
this is soo old, HTB show something like this almost a year ago
Yeah it's very old, you can even find stuff about it, way back in 2002.
www.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0
9:47 My name is jeff. Nice meme
My reaction (comment, not video): eyes open wide, mouth covered with hand, deep breath - AKA "Surprised Pikachu". This is possibly one ofvthe most evil things I've ever seen (yeah... I'm pretty innocent)
Xml is so stupid, but maybe it's just that everything using xml is old and "legacy" and thus has a bad structure (or just one for internal us only) and it thus extremely frustrating.
I am currently working on a 50k line xml, I don't use the dtds or any other of the extanal information in the document, but I clicked on some links and most of them are 404s at this point................
But hey its better than csv with sometimes quotes, sometimes not containing ~ seperated arrays, with inconsequent formating and id values
Hai bro will you please share that python script for parsing XML. please...
I don't have the code, but it was a simple sax xml parser written in python - docs.python.org/3/library/xml.sax.reader.html
from lxml import etree
parser = etree.XMLParser(load_dtd=True,
no_network=False)
tree = etree.parse("main_attack.xml", parser=parser)
etree.dump(tree.getroot())
OMG why was that even encoded into the standard!!!
I hate background color 🤦♂️🤦♂️🤦♂️🤦♂️ change to white color pls
But contant is AAmazinggggg👍👍
so that's why there's a doctype html. that's what it's for!
I'd like to do a similar style collab, if you're into it send me an email!
♥️
can you link that python xml parser?
I don't have the code with me, but I hope this can be helpful - docs.python.org/3/library/xml.sax.reader.html