FileCry - The New Age of XXE

Black Hat USA 2015

Presented by: Sergey Gorbaty, Xiaoran Wang
Date: Thursday August 06, 2015
Time: 17:00 - 18:00
Location: Mandalay Bay GH

Xml eXternal Entities (XXE) is one of the most deadly vulnerabilities on the Internet, and we will demonstrate how critical enterprise software packages are still vulnerable to these attacks today. In this action-packed presentation, we will demonstrate two 0-day vulnerabilities we identified in both popular server (Java) and client-side (Internet Explorer) technologies. The first vulnerability can be exploited with an attacker-controlled XML leading to arbitrary file ex-filtration on a target server even with all the Java protections enabled. The second vulnerability, allows an attacker to steal both arbitrary files on the local hard drive and secret information across origins with a malicious webpage. Therefore, effectively bypassing the Same Origin Policy and breaching the web-local separation. Both exploits are reliable and do not depend on memory corruptions.

Join us as we take you through an exciting journey of finding, exploiting these vulnerabilities, and preventing this class of attacks in the future.

Xiaoran Wang

Xiaoran Wang is a Senior Product Security Engineer at Salesforce. He has presented at several conferences such as Black Hat USA, Black Hat Asia, ToorCon, HackerHalted, etc. He is passionate about security, especially web application security. At work, he does architectural feature review for security, web penetration testing, security training and automations. In his personal time, he hunts for vulnerabilities and writes poor EDM musics. You may checkout his personal website at www.attacker-domain.com.

Sergey Gorbaty

Sergey Gorbaty is a product security engineer focusing on mobile, authentication, architecture design, and dynamic analysis.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats