{"id":9233,"date":"2012-05-25T15:30:16","date_gmt":"2012-05-25T13:30:16","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9233"},"modified":"2012-05-25T15:30:16","modified_gmt":"2012-05-25T13:30:16","slug":"hitb2012ams-day-2-attacking-xml-processing","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/","title":{"rendered":"HITB2012AMS Day 2 - Attacking XML Processing"},"content":{"rendered":"<h3>Attacking XML Processing<\/h3>\n<p>Dressed in a classy Corelan Team T-Shirt, <a href=\"https:\/\/twitter.com\/Agarri_FR\">Nicolas Gr\u00e9goire<\/a> kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"20120525_142727.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_1427271.jpg\" alt=\"20120525 142727\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>This technology is present in a LOT of applications today.<\/p>\n<h4>XML 101<\/h4>\n<p>Nicolas continues by explaining some basics about the\u00a0eXtensible Markup Language, \u00a0how XML documents are structured and what the purpose is of using multiple namespaces. \u00a0Namespaces are there to avoid ambiguities, but you can also use namespaces to trigger some specific features. \u00a0You can, for example, call PHP code from xslt.<\/p>\n<p>In a valid XML document, you can find more than just data. \u00a0You can find XSLT code, define some grammar, and include processing instructions. \u00a0Parsers should be aware of this to avoid issues.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_143734_111.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_143734_111.jpg\" alt=\"Rps20120525 143734 111\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>XML is used in a lot of technologies (svg, soap, xml-rpc, xslt, xkms, saml, wsdl, rest, and so on). Microsoft Lync online service uses XML to enable dial-in conferencing. \u00a0W3C uses it in it's online xslt 2.0 service, allowing you to upload files, potentially leading to java code execution on the server side (not tested). \u00a0The following simple\u00a0google dork might get you more information about other services : inurl:\"xslurl=http\"<\/p>\n<p>When auditing an app that parses xml, you should ask yourself the following questions, Nicolas continues:<\/p>\n<ul>\n<li>What are the vectors used for xml data ?<\/li>\n<li>Is the data being processed ? \u00a0If so, by who\/where (client\/server\/gw) ?<\/li>\n<li>What is the attack surface ?<\/li>\n<li>What are the processing points. \u00a0If you can submit data, does it get executed or not ? \u00a0 If you can submit grammar, will it resolve external entities ? \u00a0If you can provide xslt code, check what extensions are available (to access databases, or run java code)<\/li>\n<\/ul>\n<p>An interesting example is : Wikipedia allows you to upload an svg file, and transforms it into a png. \u00a0 In other words, it parses and converts the svg into an image.<\/p>\n<p>Nicolas explains that all demos in the presentation are based on Atom feeds. \u00a0He wrote a couple of Feed readers one using perl, another one in PHP and a third one in JSP \/ Java.<\/p>\n<h4>Encapsulation<\/h4>\n<p>XDP is a container for PDF\/XFA documents. \u00a0Nicolas used a 3 year old vulnerability (cooltype) and attempted to avoid AV detection by using encapsulation. \u00a0By modifying the metasploit module for this particular exploit, he managed to evade all 43 AV engines.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_144907_624.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_144907_624.jpg\" alt=\"Rps20120525 144907 624\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<h4>Temporary DoS<\/h4>\n<p>By creating a temporary DoS condition, you may be able to detect the fact that something is being processed in a black box audit scenario (similar to the benchmark trick for SQL injection). \u00a0He demonstrated a couple of ways that would lead to the allocation of multiple Gigs of Ram.<\/p>\n<h4>XXE Exploitation<\/h4>\n<p>XML External Entitiies is probably the most common XML vulnerability, Nicolas explains. \u00a0You could basically specify a filename (\/etc\/passwd) in an entity, and every time it gets used, the output gets replaced by the contents of the file. \u00a0RESTlet, Yandex, OpenOffice, SharePoint, DotNetNuke, IceWarp are just a couple of applications that speak REST and might be vulnerable to XXE attacks.<\/p>\n<p>XXE attacks can be very powerful. \u00a0You can easily hit the internal network, do banner grabbing (by using something like ssh:\/\/ip:22 for example) and do blind attacks. \u00a0In certain scenarios, \u00a0you can use the file handler to steal ntlm hashes or \"pass the hash\", or list directories to get more information. \u00a0 Depending on the available extensions, there's a lot more you can do. \u00a0 Successful exploitation depends on<\/p>\n<ul>\n<li>XML parser<\/li>\n<li>the OS<\/li>\n<li>programming language used<\/li>\n<li>application specific features \u00a0(for example, use the fact that php returns base64 encoded data to read a file that contains null bytes)<\/li>\n<\/ul>\n<div>Nicolas performed some really impressive demo's using a variety of techniques, allowed to read files, memory and connect to ports on other hosts.<\/div>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_145926.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_145926.jpg\" alt=\"Rps20120525 145926\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<h4>XSLT Exploitation<\/h4>\n<p>The purpose of XSLT is to transform xml into something else. \u00a0 XSLT is Turing Complete. \u00a0The main use of XSLT is to display XML to humans, but it can also be used to extract data, convert between formats. You can find XSLT parsers in Web Apps, browsers, Database servers (Oracle for example), Word Processors, XML-DSig. \u00a0Nicolas played with a bunch of apps and discover bugs in\u00a0Xalan-J, Sablotron, libxslt, transformix, XT, Adobe, Oracle-C, 4Suite, Altova.<\/p>\n<p>First, he performed some basic mutation based fuzzing. He basically\u00a0took a bunch of XSLT engines. \u00a0Get a bunch of input files (download from the internet), use a diversifier (Radamsa), set up monitoring\u2026 and go. \u00a0He explains that he typically takes 5000 files, and let's radamsa create 10000000 files. \u00a0 To monitor, he used valgrind and AddressSanitizer. \u00a0Using this approach, he found a couple of bugs (most of them are not patched yet) in Mozilla Firefox, Webkit, Opera, Oracle (ORA-07445). \u00a0To trigger the xslt parser in Oracle, you can use the code in the screenshot below. \u00a0At the bottom of the screenshot, you can see it can lead to control of FP:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_150835_240.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_150835_240.jpg\" alt=\"Rps20120525 150835 240\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>The problem with XSLT is that it is a functional language. \u00a0There is no loop functionality (while, for, \u2026) and every variable is read only. \u00a0 This complicates brute forcing and reading STDOUT. \u00a0You can, however, use a XSL for-each location wrapper to read something from another file. \u00a0This simulates a \"for\" loop. \u00a0If you combine this with SQL extensions, you would be able to attack internal databases and dump tables.<\/p>\n<p>The \"while\" loop, needed to read stdout, is a bit more complex to implement. \u00a0 The idea is to use a XSLT Loop Compiler (by @obqo). \u00a0It exposes &lt;loop:while&gt;, &lt;loop:do&gt; , &lt;loop:last&gt; and &lt;loop:update&gt;, but that is not valid xslt code. \u00a0After compiling, it gets converted into valid a valid XSLT file, but the resulting file will be quite large.<\/p>\n<p>Combining a source with commands you want to run, the code that includes the loops (to execute and return the output), you can run arbitrary commands on a remote system and retrieve the output.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_151648_601.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_151648_601.jpg\" alt=\"Rps20120525 151648 601\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>On dec 30 2011, at BerlinSides, Nicolas claimed that he couldn't find a way to execute Java in XSLT, but he was contacted by @mihi42 who shared some details on how to do it. \u00a0 Nicolas ends the presentation by demonstrating how to get meterpreter shells by embedding php\/java code in xlst files. \u00a0The metasploit module, to create xslt files for PHP and Java, should be released shortly.<\/p>\n<p>PHP Meterpreter :<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_152302_913.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_152302_913.jpg\" alt=\"Rps20120525 152302 913\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>Java :<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_152512_113.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_152512_113.jpg\" alt=\"Rps20120525 152512 113\" width=\"600\" height=\"286\" border=\"0\" \/><\/p>\n<p>&nbsp;<\/p>\n<h4>Conclusion<\/h4>\n<p>XML is everywhere. \u00a0You should understand that it's more that just data. DTD and XXE attacks have been known for more than 10 years, and the offensive side is progressing quickly (because XML is increasing popularity)<\/p>\n<p>You can get more info about his work, the results of his research and some source code on http:\/\/xhe.xwiki.org \u00a0(which, ironically, is based on a Wiki that uses REST (a.o.) and IS vulnerable to certain types of attacks).<\/p>\n<p>Brilliant work !<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attacking XML Processing Dressed in a classy Corelan Team T-Shirt, Nicolas Gr\u00e9goire kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic. This technology is present in &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"HITB2012AMS Day 2 - Attacking XML Processing\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2250],"tags":[2916,1886],"class_list":["post-9233","post","type-post","status-publish","format-standard","hentry","category-cons-seminars","tag-firefox","tag-meterpreter"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HITB2012AMS Day 2 - Attacking XML Processing - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HITB2012AMS Day 2 - Attacking XML Processing - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Attacking XML Processing Dressed in a classy Corelan Team T-Shirt, Nicolas Gr\u00e9goire kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic. This technology is present in &hellip; Continue reading &quot;HITB2012AMS Day 2 - Attacking XML Processing&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2012-05-25T13:30:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_1427271.jpg\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"HITB2012AMS Day 2 - Attacking XML Processing\",\"datePublished\":\"2012-05-25T13:30:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/\"},\"wordCount\":1162,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120525_1427271.jpg\",\"keywords\":[\"firefox\",\"meterpreter\"],\"articleSection\":[\"Cons and Seminars\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/\",\"name\":\"HITB2012AMS Day 2 - Attacking XML Processing - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120525_1427271.jpg\",\"datePublished\":\"2012-05-25T13:30:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120525_1427271.jpg\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120525_1427271.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-attacking-xml-processing\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HITB2012AMS Day 2 &#8211; Attacking XML Processing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HITB2012AMS Day 2 - Attacking XML Processing - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/","og_locale":"en_US","og_type":"article","og_title":"HITB2012AMS Day 2 - Attacking XML Processing - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Attacking XML Processing Dressed in a classy Corelan Team T-Shirt, Nicolas Gr\u00e9goire kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic. This technology is present in &hellip; Continue reading \"HITB2012AMS Day 2 - Attacking XML Processing\"","og_url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2012-05-25T13:30:16+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_1427271.jpg","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"HITB2012AMS Day 2 - Attacking XML Processing","datePublished":"2012-05-25T13:30:16+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/"},"wordCount":1162,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_1427271.jpg","keywords":["firefox","meterpreter"],"articleSection":["Cons and Seminars"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/","url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/","name":"HITB2012AMS Day 2 - Attacking XML Processing - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_1427271.jpg","datePublished":"2012-05-25T13:30:16+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_1427271.jpg","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_1427271.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-attacking-xml-processing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"HITB2012AMS Day 2 &#8211; Attacking XML Processing"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":4553,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=9233"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9233\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=9233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=9233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=9233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}