f:["$","$L7b",null,{"pageReplacement":"$undefined","getWebVital":true,"pageId":"pjpt-web-application-exploitation-xxe-external-entities-injection","records":{"block":{"pjpt-web-application-exploitation-xxe-external-entities-injection":{"id":"pjpt-web-application-exploitation-xxe-external-entities-injection","children":["9d4790851db3449498949dd195188056","7de39706310e42d4b066c81eabe7ad29","add88018043d450b8c30aaa0b3a5be5f","c6e27d6ff7134aed8708301de040f445","552281980b8c421386946f094650d6b3"],"hasContent":true,"parentId":"pjpt-web-application-exploitation","title":[["XXE - External Entities Injection"]],"updatedAt":1697367240131,"type":"page","spaceId":"effee466-26fe-4b35-9546-7578583a13e3","createdTime":1697366905421,"lastEditedTime":1697367240131,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"uri":"/pjpt/web-application-exploitation/xxe-external-entities-injection","fullWidth":false,"smallText":false,"noCover":true,"superProperties":{},"propertyValues":{},"blockId":"5f9a9cef-6bbe-4db5-a9c6-c5c3d23791d2"},"pjpt-web-application-exploitation":{"id":"pjpt-web-application-exploitation","children":[],"hasContent":true,"parentId":"pjpt","title":[["Web Application Exploitation"]],"updatedAt":1697367424659,"type":"page","spaceId":"effee466-26fe-4b35-9546-7578583a13e3","createdTime":1696753923370,"lastEditedTime":1697367424659,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"uri":"/pjpt/web-application-exploitation","blockId":"d7e7db6c-4571-47c2-be8d-192192a3f502"},"pjpt":{"id":"pjpt","children":[],"hasContent":true,"parentId":"practical-network-penetration-tester-pnpt-by-tcm-security","title":[["Practical Junior Penetration Tester (PJPT) by TCM Security"]],"updatedAt":1744253818680,"type":"page","spaceId":"effee466-26fe-4b35-9546-7578583a13e3","createdTime":1695900018856,"lastEditedTime":1744253818680,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"uri":"/pjpt","blockId":"5fef49ec-d5f5-440a-8590-850c706961ff"},"practical-network-penetration-tester-pnpt-by-tcm-security":{"id":"practical-network-penetration-tester-pnpt-by-tcm-security","children":[],"hasContent":true,"parentId":"1d2a59f8762980c8af13fbdeeb331fe4","title":[["Practical Network Penetration Tester (PNPT) by TCM Security"]],"updatedAt":1744358629411,"type":"page","spaceId":"effee466-26fe-4b35-9546-7578583a13e3","createdTime":1698157123734,"lastEditedTime":1744358629411,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"uri":"/practical-network-penetration-tester-pnpt-by-tcm-security","blockId":"41e8148b-ce03-4c6c-a91e-fe98270c69c1"},"1d2a59f8762980c8af13fbdeeb331fe4":{"id":"1d2a59f8762980c8af13fbdeeb331fe4","children":[],"hasContent":true,"parentId":"effee46626fe4b3595467578583a13e3","title":[["Study Notes"]],"updatedAt":1750697808334,"type":"page","spaceId":"effee466-26fe-4b35-9546-7578583a13e3","createdTime":1744335078923,"lastEditedTime":1750697808334,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"uri":"/1d2a59f8762980c8af13fbdeeb331fe4","blockId":"1d2a59f8-7629-80c8-af13-fbdeeb331fe4"},"9d4790851db3449498949dd195188056":{"id":"9d4790851db3449498949dd195188056","children":[],"hasContent":false,"parentId":"pjpt-web-application-exploitation-xxe-external-entities-injection","title":[],"updatedAt":1697366919864,"type":"text"},"7de39706310e42d4b066c81eabe7ad29":{"id":"7de39706310e42d4b066c81eabe7ad29","children":[],"hasContent":false,"parentId":"pjpt-web-application-exploitation-xxe-external-entities-injection","title":[["\n\n]>\n&xxe;pass"]],"updatedAt":1697367204781,"type":"code","language":"Python","wrap":false,"link":null},"add88018043d450b8c30aaa0b3a5be5f":{"id":"add88018043d450b8c30aaa0b3a5be5f","children":[],"hasContent":false,"parentId":"pjpt-web-application-exploitation-xxe-external-entities-injection","title":[["xxe grabs the content of file:///etc/passwd"]],"updatedAt":1697367241903,"type":"text"},"c6e27d6ff7134aed8708301de040f445":{"id":"c6e27d6ff7134aed8708301de040f445","children":[],"hasContent":false,"parentId":"pjpt-web-application-exploitation-xxe-external-entities-injection","title":[["then we reference it in &xxe; to make it display on website after upload"]],"updatedAt":1697367263096,"type":"text"},"552281980b8c421386946f094650d6b3":{"id":"552281980b8c421386946f094650d6b3","children":[],"hasContent":false,"parentId":"pjpt-web-application-exploitation-xxe-external-entities-injection","title":[],"updatedAt":1697367242743,"type":"text"}},"form_question":{},"entity":{},"pageId":"5f9a9cef6bbe4db5a9c6c5c3d23791d2","pagesToCreate":[]},"settings":{"siteId":"668d5f1f-7ca3-4b99-8c39-0144af653216","userId":"ff2bfa48-add8-4d80-b679-7f6f77ab8c76","domainName":"blog.estfanous.com","name":"Elu5iv3","active":true,"free":false,"tier":"personal","favicon":"https://assets.super.so/668d5f1f-7ca3-4b99-8c39-0144af653216/uploads/favicon/0f1801cc-27a2-493e-ab7f-4fd36e061ae4.png","fontFamily":"Inter","legacyTheme":null,"language":"en","languages":[],"notionPage":"1d2a59f8762980c8af13fbdeeb331fe4","indexPageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::ceaf840f-cc5e-4607-a3b0-8aba8f55d6c4","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":true,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":true,"showPropertyIcons":true,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"pagesExceeded":false,"cacheTTL":0,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":{"type":"notion","style":{"height":56,"textColor":"var(--color-text-default)","backgroundColor":"var(--color-bg-default)","ctaTextColor":"var(--color-text-default)","ctaBackgroundColor":"var(--color-bg-default)","isSticky":true,"shadow":{"type":"none","color":"rgba(0,0,0,1)","opacity":12}},"links":[],"logo":null,"cta":{"type":"page","label":"","link":"","pageId":""},"isSticky":true,"breadcrumbs":false},"footer":{"type":"none","style":{"textColor":"var(--color-text-default)","backgroundColor":"var(--color-bg-default)"},"links":[],"logo":null,"socials":[],"footnote":"","divider":false},"sidebar":{"enabled":true,"links":[{"id":"609dffe5-d268-4eb2-8f6c-79fdc2f78dcd","type":"url","label":"Home","link":"https://estfanous.com","icon":"","list":[]},{"id":"6fddbfef-2f5d-4411-9b5d-884ef884b640","type":"page","label":"PNPT Studies","link":"/practical-network-penetration-tester-pnpt-by-tcm-security","pageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::8de74fc0-9625-4f97-aaf1-5b0db17a37c8","list":[]},{"id":"904f5efa-e09a-4316-92bc-1c20ab90b93e","type":"page","label":"PJPT Studies","link":"/pjpt","pageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::d045e384-98be-4d11-90cd-6144f228d89e","icon":"","list":[]},{"id":"c3af028b-a252-475b-a8c8-ef99bf994331","type":"page","label":"AD CS / Certificate Attacks (ESC1-15) (1, 8, 11 for now)","link":"/certificate-attacks-esc1-15","pageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::edf53f01-e276-4956-bc7b-f85f2b488de2","icon":"","list":[]},{"id":"b8781640-5e91-4479-8803-360c473dd341","type":"page","label":"Report Writing / Client Presentation","link":"/practical-network-penetration-tester-pnpt-by-tcm-security/report-writing","pageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::83917953-6911-467d-a9be-55c173f81d96","icon":"","list":[]},{"id":"8f318e3a-3b2e-4080-b07f-70f3aafc11cb","type":"page","label":"Operationalizing Cybercrime Data (June 2025)","link":"/operationalizing-cybercrime-data-for-red-teams-offensive-ops","pageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::a04c2547-cbb3-4680-952f-ee20e9f3c4e0","icon":"","description":"","list":[]}],"cta":[],"logo":{"type":"image","width":180,"fontSize":16,"textContent":"Estfanous","imageContent":"https://assets.super.so/668d5f1f-7ca3-4b99-8c39-0144af653216/uploads/logo/5b6dda30-1aaf-4de0-9f8d-e550b4a1d494.png","imageContentDark":null,"disabled":false},"searchEnabled":true},"theme":{"colorMode":"dark","layout":{"paddingLayout":0.9,"layoutMaxWidth":900,"columnSpacing":46,"borderThicknessLayout":1,"borderTypeLayout":"solid","borderRadiiLayout":13,"pageDisplay":"flex"},"header":{"coverHeight":26,"titleAlign":"left","iconAlign":"-112px auto auto auto","display":"block"},"collectionCard":{"gap":30,"shadow":"rgba(0, 0, 0, 0.05) 0px 20px 40px -10px","coverHeightLarge":360,"coverHeightMedium":327,"coverHeightSmall":240,"titleSize":1.151,"coverSizeSmall":172,"coverSizeMedium":260,"coverSizeLarge":320,"iconDisplay":"none"},"callout":{"iconDisplay":"none","shadow":"rgba(0, 0, 0, 0.04) 0px 10px 20px -6px"},"typography":{"primaryFont":"Space Grotesk","secondaryFont":"Space Mono","fonts":[],"baseSize":16,"titleSize":3.48,"headingSize":1.32,"quoteSize":1.2,"quoteSizeLarge":1.4,"textWeight":400,"headingWeight":600},"scrollbar":{"width":15},"navbar":{"height":64,"shadow":"rgba(0, 0, 0, 0.03) 0px 10px 20px -6px"},"footer":{"height":0},"sidebar":{"width":280,"shadow":"none"},"colors":{"light":{"text":"#3e284e","textLight":"#7d7c78","background":"#fbf7ff","borderColor":"#edd7fc","checkboxBackground":"#9459d1","hoverBackground":"#eadff3","scrollbar":{"background":"#fcf7ff","handle":"#e9e3ec","border":"#fcf7ff"},"navbar":{"text":"#37352F","background":"#fbf7ff","buttonText":"#ffffff","buttonBackground":"#9459d1"},"footer":{"text":"#37352F","background":"#f5eef9","buttonText":"#ffffff","buttonBackground":"#37352F"},"sidebar":{"text":"#37352F","ctaText":"#37352F","background":"#ffffff","hoverBackground":"#efefef","ctaBackground":"#ffffff","border":"#E9E9E7"},"database":{"cardBackground":"#fdfaff","cardHoverBackground":"#ffffff","calendarWeekendBackground":"#f7f6f3"},"default":[45,8,20],"gray":[36,2,46],"brown":[19,31,47],"orange":[30,87,45],"yellow":[38,62,49],"green":[149,31,39],"blue":[202,53,43],"purple":[275,47,65],"pink":[328,48,53],"red":[2,62,55],"form":{"submitButton":{"default":"#55534E","gray":"#A7A39A","brown":"#9A6851","orange":"#D9730D","yellow":"#CA922F","green":"#448361","blue":"#327DA9","purple":"#8F64AF","pink":"#C24C8B","red":"#D44E49"}}},"dark":{"text":"#ffffff","textLight":"#9b9b9b","background":"#011634","borderColor":"#132032","checkboxBackground":"#23364f","hoverBackground":"#262626","scrollbar":{"background":"#1a151f","handle":"#47444b","border":"#1a151f"},"navbar":{"text":"#e1e1e1","background":"#011634","buttonText":"#191919","buttonBackground":"#9459d0"},"footer":{"text":"#e1e1e1","background":"#241d2a","buttonText":"#191919","buttonBackground":"#e1e1e1"},"sidebar":{"text":"#e1e1e1","ctaText":"#e1e1e1","background":"#191919","hoverBackground":"#292929","ctaBackground":"#191919","border":"#373737"},"database":{"cardBackground":"#26212b","cardHoverBackground":"#332c39","calendarWeekendBackground":"#202020"},"form":{"submitButton":{"default":"#55534E","gray":"#A7A39A","brown":"#9A6851","orange":"#D9730D","yellow":"#CA922F","green":"#448361","blue":"#327DA9","purple":"#8F64AF","pink":"#C24C8B","red":"#D44E49"}},"default":[45,8,20],"gray":[0,0,61],"brown":[18,35,58],"orange":[25,54,53],"yellow":[38,54,54],"green":[146,32,47],"blue":[217,50,58],"purple":[270,55,58],"pink":[329,57,58],"red":[1,69,60]}}},"code":{"head":[],"body":[],"style":[],"css":""},"files":[],"hasPassword":false,"hasFeed":false},"smallText":false,"config":"$undefined","pageLocation":"/pjpt/web-application-exploitation/xxe-external-entities-injection","passwords":[],"styles":"","children":[["$","main",null,{"id":"page-pjpt-web-application-exploitation-xxe-external-entities-injection","className":"super-content page__pjpt-web-application-exploitation-xxe-external-entities-injection parent-page__pjpt-web-application-exploitation","children":[["$","$L7c",null,{"url":"https://blog.estfanous.com/pjpt/web-application-exploitation/xxe-external-entities-injection","title":"XXE - External Entities Injection","description":"xxe grabs the content of file:///etc/passwd","root":{"id":"1d2a59f8762980c8af13fbdeeb331fe4","uri":"/","title":"Study Notes","icon":null},"image":null,"canonical":null,"author":"Untitled","favicon":"https://assets.super.so/668d5f1f-7ca3-4b99-8c39-0144af653216/uploads/favicon/0f1801cc-27a2-493e-ab7f-4fd36e061ae4.png","breadcrumbs":[{"id":"pjpt","uri":"/pjpt","title":"Practical Junior Penetration Tester (PJPT) by TCM Security","icon":null},{"id":"pjpt-web-application-exploitation","uri":"/pjpt/web-application-exploitation","title":"Web Application Exploitation","icon":null},{"id":"pjpt-web-application-exploitation-xxe-external-entities-injection","uri":"/pjpt/web-application-exploitation/xxe-external-entities-injection","title":"XXE - External Entities Injection","icon":null}],"siteId":"668d5f1f-7ca3-4b99-8c39-0144af653216","userId":"ff2bfa48-add8-4d80-b679-7f6f77ab8c76","domainName":"blog.estfanous.com","name":"Elu5iv3","active":true,"free":false,"tier":"personal","fontFamily":"Inter","legacyTheme":null,"language":"en","languages":"$7d","notionPage":"1d2a59f8762980c8af13fbdeeb331fe4","indexPageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::ceaf840f-cc5e-4607-a3b0-8aba8f55d6c4","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":true,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":true,"showPropertyIcons":true,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"pagesExceeded":false,"cacheTTL":0,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":"$7e","footer":"$83","sidebar":"$87","theme":"$97","code":"$c7","files":"$cb","hasPassword":false,"hasFeed":false}],null,null,["$","div",null,{"className":"notion-header page","children":[["$","div",null,{"className":"notion-header__cover no-cover no-icon","children":null}],["$","div",null,{"className":"notion-header__content max-width no-cover no-icon","children":[["$","div",null,{"className":"notion-header__title-wrapper","children":[null,["$","h1",null,{"className":"notion-header__title","children":"XXE - External Entities Injection"}]]}],null]}]]}],["$","$Lcc",null,{"id":"pjpt-web-application-exploitation-xxe-external-entities-injection","children":[["$","div",null,{"id":"block-9d4790851db3449498949dd195188056","className":"notion-text"}],["$","$Lcd","7de39706310e42d4b066c81eabe7ad29",{"id":"7de39706310e42d4b066c81eabe7ad29","children":null,"hasContent":false,"parentId":"pjpt-web-application-exploitation-xxe-external-entities-injection","title":"$ce","updatedAt":1697367204781,"type":"code","language":"Python","wrap":false,"link":null}],["$","p",null,{"id":"block-add88018043d450b8c30aaa0b3a5be5f","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$d0","0-0-text",{"children":"xxe grabs the content of file:///etc/passwd"}]],"$undefined"]}],["$","p",null,{"id":"block-c6e27d6ff7134aed8708301de040f445","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$d0","0-0-text",{"children":"then we reference it in &xxe; to make it display on website after upload"}]],"$undefined"]}],["$","div",null,{"id":"block-552281980b8c421386946f094650d6b3","className":"notion-text"}]],"hasContent":true,"parentId":"pjpt-web-application-exploitation","title":"$d1","updatedAt":1697367240131,"type":"page","spaceId":"effee466-26fe-4b35-9546-7578583a13e3","createdTime":1697366905421,"lastEditedTime":1697367240131,"createdBy":"$d3","lastEditedBy":"$d7","uri":"/pjpt/web-application-exploitation/xxe-external-entities-injection","fullWidth":false,"smallText":false,"noCover":true,"superProperties":"$db","propertyValues":"$dc","blockId":"5f9a9cef-6bbe-4db5-a9c6-c5c3d23791d2","isRoot":true,"ctx":{"head":{"url":"https://blog.estfanous.com/pjpt/web-application-exploitation/xxe-external-entities-injection","title":"XXE - External Entities Injection","description":"xxe grabs the content of file:///etc/passwd","root":"$dd","image":null,"canonical":null,"author":"Untitled","favicon":"https://assets.super.so/668d5f1f-7ca3-4b99-8c39-0144af653216/uploads/favicon/0f1801cc-27a2-493e-ab7f-4fd36e061ae4.png","breadcrumbs":"$de"},"settings":{"siteId":"668d5f1f-7ca3-4b99-8c39-0144af653216","userId":"ff2bfa48-add8-4d80-b679-7f6f77ab8c76","domainName":"blog.estfanous.com","name":"Elu5iv3","active":true,"free":false,"tier":"personal","favicon":"https://assets.super.so/668d5f1f-7ca3-4b99-8c39-0144af653216/uploads/favicon/0f1801cc-27a2-493e-ab7f-4fd36e061ae4.png","fontFamily":"Inter","legacyTheme":null,"language":"en","languages":"$7d","notionPage":"1d2a59f8762980c8af13fbdeeb331fe4","indexPageId":"668d5f1f-7ca3-4b99-8c39-0144af653216:::ceaf840f-cc5e-4607-a3b0-8aba8f55d6c4","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":true,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":true,"showPropertyIcons":true,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"pagesExceeded":false,"cacheTTL":0,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":"$7e","footer":"$83","sidebar":"$87","theme":"$97","code":"$c7","files":"$cb","hasPassword":false,"hasFeed":false},"records":"$e2","pageId":"pjpt-web-application-exploitation-xxe-external-entities-injection"}}]]}],["$","$L129",null,{"id":"pjpt-web-application-exploitation-xxe-external-entities-injection","children":"$e5","hasContent":true,"parentId":"pjpt-web-application-exploitation","title":"$d1","updatedAt":1697367240131,"type":"page","spaceId":"effee466-26fe-4b35-9546-7578583a13e3","createdTime":1697366905421,"lastEditedTime":1697367240131,"createdBy":"$d3","lastEditedBy":"$d7","uri":"/pjpt/web-application-exploitation/xxe-external-entities-injection","fullWidth":false,"smallText":false,"noCover":true,"superProperties":"$db","propertyValues":"$dc","blockId":"5f9a9cef-6bbe-4db5-a9c6-c5c3d23791d2","ctx":"$12a"}]]}]