Exploiting XXE Vulnerabilities In File Parsing Functionality

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=o2K78rmVJk4


Duration: 22:11
16 views
0

In this 25-minute briefing, we will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed.
PRESENTED BY
Willis Vandevanter

Black Hat - USA - 2015 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-03Internet Facing PLCs A New Back Orifice
2022-01-03Exploiting Out of Order Execution For Covert Cross VM Communication
2022-01-03Commercial Mobile Spyware Detecting The Undetectable
2022-01-03Internet Plumbing Gor Security Professionals The State Of BGP Security
2022-01-03Automated Human Vulnerability Scanning With AVA
2022-01-03Exploiting The DRAM Rowhammer Bug To Gain Kernel Privileges
2022-01-03CrackLord Maximizing Password Cracking Boxes
2022-01-03Internet Scale File Analysis
2022-01-03BGP Stream
2022-01-03Back Doors And Front Doors Breaking The Unbreakable System
2022-01-03Exploiting XXE Vulnerabilities In File Parsing Functionality
2022-01-03Is The NSA Still Listening To Your Calls A Surveillance Debate
2022-01-03Faux Disk Encryption Realities Of Secure Storage On Mobile Devices
2022-01-03Battle Of The SKM And IUM How Windows 10 Rewrites OS Architecture
2022-01-03Big Game Hunting The Peculiarities Of Nation State Malware Research
2022-01-03FileCry The New Age Of XXE
2022-01-03Forging The USB Armory, An Open Source Secure Flash Drive Sized Computer
2022-01-03Behind The Mask The Agenda, Tricks, & Tactics Of The Federal Trade Commission
2022-01-03Breaking Access Controls With BLEKey
2022-01-03Fingerprints On Mobile Devices Abusing And Leaking
2022-01-03From False Positives To Actionable Analysis Behavioral Intrusion Detection


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
password
code
web
concept
thief
network
scam
fraud
malware
secure
software
access
safety
system
firewall
communication
business
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
XXE
XXE vulnerabilities
Willis Vandevanter