Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

XML Out-of-Band Data Retrieval

Black Hat via YouTube

Start learning Write review
Boot.dev Ad

Learn Backend Development Part-Time, Online

Learn More → Coursera Ad

Google AI Professional Certificate - Learn AI Skills That Get You Hired

Learn More →

Overview

Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore a groundbreaking technique for out-of-band data retrieval in this 30-minute Black Hat EU 2013 conference talk. Discover how to access files and resources from a victim's machine and internal network, even when normal output is possible from vulnerable applications handling XML data. Learn about XML hacker techniques, constraints, simple parsing, external entities, and entity attributes. Dive into simulation construction, sample services, XML injections, and SQL injections. Understand DNS queries, the main technique, visualization, and restrictions. Examine the declaration of entities, loading entities, and the ExpressT document parser. Gain insights into tools like Metasploit and GitHub for practical application. Presented by Alexey Osipov and Timur Yunusov, this talk provides a comprehensive overview of this innovative data retrieval method.

Syllabus

Introduction
Agenda
XML
Hacker Techniques
Constraints
Simple parsing
External entities
Entities in attributes
Simulation construction
Sample service
XML injections
SQL injections
DNS queries
Main technique
Visualization
Restrictions
Declaration of Entity
Load Entity
Express
T document
Parser
Summary
Success
Passing
Summary Table
Demo
Tools
Metasploit
GitHub
Conclusions
Special Thanks

Taught by

Black Hat

Reviews

Start your review of XML Out-of-Band Data Retrieval

Start learning

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.