Now, we'll look at some real examples of XXEs and how they have been exploited in bounty programs.
On April 11th, 2014, researchers from the Detectify security team reported a vulnerability in the Google search engine.
The reasons they selected the Google search engine to look for vulnerabilities were as follows:
- They thought Google is such a big platform that it might have old or deprecated software.
- It's a challenge to assess unknown and hardly accessible software.
- They had access to proprietary software that only some people can access.
- They had access to alpha and beta releases by Google.
So, they started to doing searches using Google Search:
Using searching techniques, they found some interesting systems and software. But they put their attention to the Google Toolbar button gallery. This was a personalized toolbar to manage Google buttons; the users could personalize it with new buttons or edit the existing ones. The Detectify team considered it a very...