Big thank you to Brilliant for sponsoring this video! To try Brilliant for free (for 30 days) and to get a 20% discount, visit: https://Brilliant.org/davidbombal

// Tib3rius’ SOCIAL //
YouTube:  https://www.youtube.com/Tib3rius
Website:  https://tib3rius.com/
Twitch:  https://www.twitch.tv/0xTib3rius
GitHub:  https://github.com/Tib3rius
LinkedIn:  https://www.linkedin.com/in/tib3rius/
X:  https://x.com/0xtib3rius
Bluesky:  https://bsky.app/profile/tib3rius.bsky.social

// Links REFERENCE //
XXE Demo Repo:  https://github.com/Tib3rius/XXE-Demos
Dynamic Tool-DTD Repo:  https://github.com/Tib3rius/Dynamic-DTD

// Specific Webpage REFERENCE //
https://en.wikipedia.org/wiki/Billion_laughs_attack
https://tib3rius.com/robots.txt

// David's SOCIAL // 
Discord: https://discord.com/invite/usKSyzb 
X: https://www.twitter.com/davidbombal 
Instagram: https://www.instagram.com/davidbombal 
LinkedIn: https://www.linkedin.com/in/davidbombal 
Facebook: https://www.facebook.com/davidbombal.co 
TikTok: http://tiktok.com/@davidbombal 
YouTube: https://www.youtube.com/@davidbombal

// MY STUFF //
 https://www.amazon.com/shop/davidbombal 

// SPONSORS // 
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com

// MENU //
0:00 - Coming up0:33 - Intro
03:07 - Brilliant Advert
04:22 - What is XXE
06:24 - XXE Demo Intro
08:54 - XML Spec Defined Entities
13:27 - XML Billion Laughs Attack
15:07 - XML Exploits
16:27 - XXE Demo Basic Example 1
22:33 - XXE Demo Basic Example 2
23:33 - Error-Based XXE Demo
30:11 - Dynamic DTD Demo
34:45 - The Community 
35:33 - Out-Of-Band XXE Demo
40:12 - XML Tips & Tricks
41:25 - Outro

xxe
xss
xml
http
https
website
xml external entities
cross site scripting
portswigger
ajax
jscript
lol
lol attack
billion laughts
billion lol
javascript
xss attack
xxe attack
xxe video tutorial
xxs attack tutorial
xxe explained
xss explained
xxe attack example
xxe bug bounty
xxe tutorial
xxe vulnerability
xxe vs csrf attack
xe example
kali linux
penetration testing
ethical hacking
bug bounty
cross site scripting
cross-site scripting
red teaming
cyber security
kali linux install
kali linux 2025
ethical hacker course
ethical hacker
javascript
ajax
jquery
node js
node js hacking
portswigger

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! 

Disclaimer: This video is for educational purposes only.

#xxe #xss #hacking

David Bombal

David Bumble hosts Tiberius, a well-known web app pentester and content creator, to discuss and demonstrate XML External Entities (XXE) vulnerabilities. Tiberius explains the basics of XXE, its potential risks such as server-side request forgery (SSRF) and file inclusion, and shares practical demonstrations including error-based and out-of-band XXE exploitation. The session also covers the use of Dynamic DTD for easier exploitation and the importance of proper XML parser configuration to mitigate these vulnerabilities. Links to Tiberius's YouTube channel and GitHub repository are provided for further learning and tool access.

Hacking websites (great demos) with XML External Entities (XXE)