Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Audio file format MPEG layer I, layer II and layer III (MP3) need a way to include information about the music, such as the name, artist and other information. The file format for this comes in the iXML format for WAVE files.

An author on a Wordpress site can upload media files with XML tags: this is ripe for an eXternal XML Entity Injection (XXE). By adding an external entity in this format, it is a fairly straight forward XXE issue that can be exploited to take files from the OS, including /etc/passwd.

XXE is still on the OWASP top 10, making it an extremely impactful and common bug. There are so many odd places where XML is parsed and they all need to be tested for XXE.