From blind XXE to root-level file read access
XXE
On a recent bug bounty adventure, I came across an XML endpoint that responded interestingly to attempted XXE exploitation.
https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/