david wong

Hey! I'm David, a security engineer at the Blockchain team of Facebook, previously a security consultant for the Cryptography Services of NCC Group. I'm also the author of the Real World Cryptography book. This is my blog about cryptography and security and other related topics that I find interesting.

How we got read access on Google’s production servers posted April 2014

The team at Detectify found a way to access files on one of google's production server. Thanks to an old google product (google toolbar) that was using a poorly secured XML parser.

They just used a simple XXE attack where they uploaded a poisoned xml files and saw what the application printed back

a xxe looks like this:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

More on their blog


Leave a comment