https://stream.echo6.co/videos/watch/ddc4db80-58ff-4bdf-919d-be26e8dd19e3 00:00 - Introduction, why I created this script and a quick demo 01:00 - Going over XML Entity Injection, doing it manually and explaining what the payloads are 05:30 - Sponsor shoutout, showing Snyk scan the source code to this application and catching the XXE 06:30 - Patching the code, asking Github Copilot for a proper way to fix it and it recommends disabling loading XML Entity off remote sources 09:55 - Making sure Snyk is happy with our code fix and going over some other findings 11:04 - Start of coding the XXE Script, creating the webserver 16:40 - Putting our webserver in a thread so we can also run a CLI 18:30 - Talking about how and why we are just going to use a global variable with our thread 19:20 - Having our terminal able to update the payload variable, so we can easily change files we want to exfil 22:30 - Creating a function to read an HTTP Request copied from Burp, so we can use it with python requests 29:28 - Testing out our function, and discovering we need to fix the path 33:20 - The skeleton of the script is done, adding in the logic to actually perform the XXE Attack but putting the file name in the wrong spot. 38:15 - Running our script and fixing up a few bugs 40:44 - Fixing up where we placed the file in our XXE Payload 42:15 - Adding comments in our code as we glance over it 43:30 - Adding some login in our script to tell the python server it is base64, which should help future proof it for doing XXE with other languages 47:30 - Adding argparse to our program, so we can get rid of hard coded variables 50:50 - Parsing the LHOST variable from the request file we have, so the server will send the file to the right location Wed, 15 Apr 2026 09:50:50 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/ddc4db80-58ff-4bdf-919d-be26e8dd19e3 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.