XML Out-of-Band Data Retrieval
Offered By: Black Hat via YouTube
Course Description
Overview
Explore a groundbreaking technique for out-of-band data retrieval in this 30-minute Black Hat EU 2013 conference talk. Discover how to access files and resources from a victim's machine and internal network, even when normal output is possible from vulnerable applications handling XML data. Learn about XML hacker techniques, constraints, simple parsing, external entities, and entity attributes. Dive into simulation construction, sample services, XML injections, and SQL injections. Understand DNS queries, the main technique, visualization, and restrictions. Examine the declaration of entities, loading entities, and the ExpressT document parser. Gain insights into tools like Metasploit and GitHub for practical application. Presented by Alexey Osipov and Timur Yunusov, this talk provides a comprehensive overview of this innovative data retrieval method.
Syllabus
Introduction
Agenda
XML
Hacker Techniques
Constraints
Simple parsing
External entities
Entities in attributes
Simulation construction
Sample service
XML injections
SQL injections
DNS queries
Main technique
Visualization
Restrictions
Declaration of Entity
Load Entity
Express
T document
Parser
Summary
Success
Passing
Summary Table
Demo
Tools
Metasploit
GitHub
Conclusions
Special Thanks
Taught by
Black Hat
Related Courses
Hacking and PatchingUniversity of Colorado System via Coursera Software Design Threats and Mitigations
University of Colorado System via Coursera Introduction to Cybersecurity for Teachers
Raspberry Pi Foundation via FutureLearn Identifying Security Vulnerabilities
University of California, Davis via Coursera Web Application Security Testing with Burp Suite
Coursera Project Network via Coursera