Exploiting XXE Vulnerabilities in File Parsing Functionality

Black Hat USA 2015

Presented by: Will Vandevanter
Date: Thursday August 06, 2015
Time: 09:00 - 09:25
Location: South Seas GH

In this 25-minute briefing, we will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed.

Will Vandevanter

Willis Vandevanter is a principal at Silent Robot Systems. Prior to SRS, Will was a Senior Researcher at Onapsis and Lead Penetration Tester at Rapid7. He has previously spoken at DEFCON, TROOPERS, OWASP AppSec, and other conferences. In his spare time, he writes code and stumbles through CTFs.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats