Collaborate Disseminate
SCENARIO:
I successfully tried to send a request to the burp collaborator, then the application is vulnerable to SSRF through blind XXE. The payload I used is the following
<?xml version="1.0" encoding="utf-8"?>
… Continue reading XXE with OOB data exfiltration
I have a log of spam emails collected from various sources, in JSON. The goal is to move it all into plaintext to become a training corpus for a machine learning exercise. Mail subject, etc, is plaintext. Bodies, however, are encoded…
As… Continue reading How do I read an email log that captures bodies in different combinations of encodings plus underlying format
I have received an encrypted XML document, that contains
a. An encrypted session key – this was encrypted using my public key. I have succesfully decrypted this using:
const decryptedSessionKey = crypto.privateDecrypt(
{ key: privKey,… Continue reading How to extract IV from ciphertext in XML [migrated]
Date and time handling is hard, that’s an ugly truth about software development we’ll all learn the hard way one day. Sure, it might seem like some trivial everyday thing that you can easily implement yourself without relying on a third-party library. I mean, it’s basically just adding seconds on …read more
Continue reading Samsung’s Leap Month Bug Teaches Not to Skimp On Testing
As the world settles into this pandemic, some things are still difficult to mentally reckon, such as the day of the week. We featured a printed day clock a few months ago that used a large pointer to provide this basic psyche-grounding information. In the years since then, [Jeff Thieleke] …read more
Continue reading Day Clock Monitors Air Quality of the Great Indoors
My goal is to create a docx file that, when uploaded to a server and parsed there, causes the parser to fetch my url so I know it worked.
Unfortunately, I only have Libre Office and not MS Office at my hands. When I open the file with Lib… Continue reading XXE Injection in docx: entity not defined
It is an age-old problem, that of having some data you want to store somewhere, and later bring it back. How do you format the data? Custom file formats are not that hard, but if you use an existing format you can probably steal code from a library to help …read more
I have a bug where a Java SAXReader with validation set to false reads XML I partially control.
The reader gets supplied this:
<event>[DATA I CONTROL]</event>
I can put whatever I want in [DATA I CONTROL], t… Continue reading XXE inside an XML element?
can any one sign in to account in ps4 network with tamper data
i cant find pass and user filed in tamper data when i want to login in Ps4 network
thanks
Continue reading have problem login to ps4 network with tamper data [closed]
I was testing the website example.com and found a form vulnerable to XML Injection. It send the details you insert into that form as xml attachment via email to my email address and also to administrators CMS as email. It wor… Continue reading How can i turn this xml injection into a valid XXE?