Parsers Behaving Badly
Parsers go where your business logic can't.
Chapter 06 of the roadmap. Work through each walkthrough below, or browse every topic.
-
Malicious File Upload: Stored XSS via SVG
Upload a malicious SVG to the admin product image field and get stored XSS that fires for every visitor.
-
XML External Entity Injection: Exploiting a Legacy Supplier Import Endpoint
Exploiting an insecure XML parser in the supplier order import feature to read arbitrary server-side files and retrieve a flag.