XXEs in the wild
Now, we'll look at some real examples of XXEs and how they have been exploited in bounty programs.
Read access to Google
On April 11th, 2014, researchers from the Detectify security team reported a vulnerability in the Google search engine.
The reasons they selected the Google search engine to look for vulnerabilities were as follows:
- They thought Google is such a big platform that it might have old or deprecated software.
- It's a challenge to assess unknown and hardly accessible software.
- They had access to proprietary software that only some people can access.
- They had access to alpha and beta releases by Google.
So, they started to doing searches using Google Search:
Using searching techniques, they found some interesting systems and software. But they put their attention to the Google Toolbar button gallery. This was a personalized toolbar to manage Google buttons; the users could personalize it with new buttons or edit the existing ones. The Detectify team considered it a very...