XXE
First, start here to learn about the underlying technologies of XXE, including XML, external entities, and DTDs.
https://www.youtube.com/watch?v=aQFG-97f900
Then, read these posts to learn about the basics of classic XXEs and blind XXEs.
https://portswigger.net/web-security/xxe
https://portswigger.net/web-security/xxe/blind
https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
Go here to learn about potential escalation techniques.
https://www.we45.com/blog/3-ways-an-xxe-vulnerability-could-hit-you-hard
Go here to learn about some common protection bypasses.
https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/
https://blog.gdssecurity.com/labs/2015/4/29/automated-data-exfiltration-with-xxe.html
https://lab.wallarm.com/xxe-that-can-bypass-waf-protection-98f679452ce0/
Finally, go here to read an example of an exploitation walkthrough.
And here are some payloads that you can use on your targets.
https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
Last updated