From blind XXE to root-level file read access

XXE

On a recent bug bounty adventure, I came across an XML endpoint that responded interestingly to attempted XXE exploitation.