Exploiting XXE Vulnerabilities in Files Parsing Functionality

by Willis Vandevanter Sept. 18, 2017 via www.blackhat.com submitted by belen_caty

We will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed.


Steven Ulm 1 month ago

XML is definitely more popular than XXE backdoored files. Really interesting analysis!