Exploiting XXE Vulnerabilities in Files Parsing Functionality

by Willis Vandevanter
Sept. 18, 2017 1 comment www.blackhat.com belen_caty Pen Testing & Audits

We will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed.


Steven Ulm 6 months ago

XML is definitely more popular than XXE backdoored files. Really interesting analysis!