Primary Content: Home

Path Traversal Cheat Sheet: Linux

Got a path/directory traversal or file disclosure vulnerability on a Linux-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!

The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:

Continue reading: Path Traversal Cheat Sheet: Linux

XXE Cheatsheet – XML External Entity Injection

All the fun of the post on XML External Entities (XXE) but less wordy!

 

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
 <userInfo>
  <firstName>John</firstName>
  <lastName>&example;</lastName>
 </userInfo>

Continue reading: XXE Cheatsheet – XML External Entity Injection

Graceful Security!

Hiya!

I post content about Information Security from the point of view of an attacker and show how to fix security issues. Hopefully something buried in here will be of use to any Penetration Testers, Security Consultants or people trying to defend against hackers!

The easiest way to navigate the site is by choosing a category above or scroll down to see the most recent posts!

Let me know what you think!     — @HollyGraceful

XXE: XML eXternal Entity Injection vulnerabilities

Here’s a quick write-up on XXE, starting with how to detect the vulnerability and moving on to how to fix it! XXE is a vulnerability in the way that XML parses handle user input and if an attacker is able to enter arbitrary or crafted data into an XML parser they may be able to inject entities and this could leave to file disclosure, denial-of-service attacks or in rare cases – code execution!

Continue reading: XXE: XML eXternal Entity Injection vulnerabilities