XML External Entity injection with error-based data exfiltration

Introduction

In a recent project, I’ve uncovered a significant security issue that revolves around XML External Entity attacks.

This article delves into my journey of identifying and exploiting the XXE threat in our project in an unusual way to output the attack results — via Java exceptions in the log files.

What is XXE?

XML External Entity (XXE) is a security vulnerability that occurs in applications handling XML input. In an XXE attack, an attacker can exploit an application’s XML …

bug bounty hacking penetration testing writeup xml