Let's now look at another type of vulnerability that we may come across while performing a pentest. XML External Entity (XEE) attacks are a type of attack against an application that parses XML input poorly. These types of attacks can lead to local file disclosure such as password files. It can also be used to pivot to other internal systems in the network using RCE.
- Title Page
- Copyright and Credits
- About Packt
- Contributors
- Preface
- Kali - An Introduction
- Configuring Kali Linux
- Configuring the Xfce environment
- Configuring the MATE environment
- Configuring the LXDE environment
- Configuring the E17 environment
- Configuring the KDE environment
- Prepping with custom tools
- Zone Walking using DNSRecon
- Setting up I2P for anonymity
- Pentesting VPN's ike-scan
- Setting up proxychains
- Going on a hunt with Routerhunter
- Gathering Intel and Planning Attack Strategies
- Getting a list of subdomains
- Using Shodan for fun and profit
- Shodan Honeyscore
- Shodan plugins
- Censys
- Using Nmap to find open ports
- Bypassing firewalls with Nmap
- Searching for open directories using GoBuster
- Hunting for SSL flaws
- Automating brute force with BruteSpray
- Digging deep with TheHarvester
- Finding technology behind webapps using WhatWeb
- Scanning IPs with masscan
- Finding origin servers with CloudBunny
- Sniffing around with Kismet
- Testing routers with Firewalk
- Vulnerability Assessment - Poking for Holes
- Using the infamous Burp
- Exploiting WSDLs with Wsdler
- Using Intruder
- Using golismero
- Exploring Searchsploit
- Exploiting routers with routersploit
- Using Metasploit
- Automating Metasploit
- Writing a custom resource script
- Setting up a database in Metasploit
- Generating payloads with MSFPC
- Emulating threats with Cobalt Strike
- Web App Exploitation - Beyond OWASP Top 10
- Exploiting XSS with XSS Validator
- Injection attacks with sqlmap
- Owning all .svn and .git repositories
- Winning race conditions
- Exploiting XXEs
- Exploiting Jboss with JexBoss
- Exploiting PHP Object Injection
- Automating vulnerability detection using RapidScan
- Backdoors using meterpreter
- Backdoors using webshells
- Network Exploitation
- Introduction
- MITM with hamster and ferret
- Exploring the msfconsole
- Railgun in Metasploit
- Using the paranoid meterpreter
- The tale of a bleeding heart
- Exploiting Redis
- Saying no to SQL – owning MongoDBs
- Hacking embedded devices
- Exploiting Elasticsearch
- Good old Wireshark
- This is Sparta
- Exploiting Jenkins
- Shellver – reverse shell cheatsheet
- Generating payloads with MSFvenom Payload Creator (MSFPC)
- Wireless Attacks - Getting Past Aircrack-ng
- Password Attacks - The Fault in Their Stars
- Have Shell, Now What?
- Spawning a TTY shell
- Looking for weaknesses
- Horizontal escalation
- Vertical escalation
- Node hopping – pivoting
- Privilege escalation on Windows
- Pulling a plaintext password with Mimikatz
- Dumping other saved passwords from the machine
- Pivoting
- Backdooring for persistance
- Age of Empire
- Automating Active Directory (AD) exploitation with DeathStar
- Exfiltrating data through Dropbox
- Data exfiltration using CloakifyFactory
- Buffer Overflows
- Elementary, My Dear Watson - Digital Forensics
- Playing with Software-Defined Radios
- Kali in Your Pocket - NetHunters and Raspberries
- Writing Reports
- Other Books You May Enjoy
Exploiting XXEs
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.