TS Episode20

From Security Weekly Wiki
Jump to navigationJump to search

Recorded September25, 2017


  • Beau Bullock, @dafthack, Penetration Tester at Black Hills Information Security
  • Michael Felch, @dustayready, Instructor at TeelTech
  • Google Event Injection

    When pentesting web services or an application that leverage XML files, XML External Entity (XXE) attacks are a great way to start. By injecting an XXE into a well crafted XML payload before it's sent to the server, a penetration tester can trick the parser into executing other actions that the developer never intended. This can lead to reading local files, server-side request forgeries (SSRF) or even gaining remote code execution (RCE). To help penetration testers, Beau Bullock (@dafthack) and Mike Felch (@ustayready) cover a few different methods to attack XML parsers in episode 19 of Tradecraft Security Weekly.