Just wanted to post some details from my BH USA 2015 briefing “Exploiting XXE In File Upload Functionality”.
Landed the SSRF Cloud Metadata technique in a few different scenarios recently. If you haven’t seen the talk BHUSA 2014 - Bringing a Machete to the Amazon I recommend it.
An XML Entity testing cheatsheet. This is an updated version with nokogiri tests removed, just (X)XE notes.
Last month at Blackhat Arsenal 2015, Pete and I (@will_is) presented on Serpico. This was our second time at Arsenal. Yet again, awesome people, great venue, and overall a highlight for me of BH/DC/LV. We got some excellent feedback on the project, so thank you to anyone who stopped by
I was researching something else and thought this was a cool way to execute a command through the open method in ruby: