https://blog.rodolpheg.xyz/tags/xxe/Recent content in XXE on RORO's blogHugofr-frcontact@rodolpheg.xyz (0xRo)contact@rodolpheg.xyz (0xRo)Sat, 07 Feb 2026 00:00:00 +0000https://blog.rodolpheg.xyz/posts/enketo-auth-bypass-ssrf-xxe-and-file-read/Sat, 07 Feb 2026 00:00:00 +0000contact@rodolpheg.xyz (0xRo)https://blog.rodolpheg.xyz/posts/enketo-auth-bypass-ssrf-xxe-and-file-read/<h2 id="introduction">Introduction</h2> <p>Original post: <a href="https://offenskill.com/blog/enketo-arbitrary-file-read/">OffenSkill - Enketo 6.2.1 - Auth-Bypass, SSRF, and XXE Browser Abuse to File Read</a></p> <p>This <a href="https://offenskill.com/training">training</a> session was focused on white-box code review, application, and system runtime introspection.<br> We wanted to work on a JavaScript backend framework and <a href="https://enketo.org/">Enketo Express</a> seemed to be a good candidate. The source code is available on <a href="https://github.com/enketo/enketo-express">GitHub - enketo/enketo-express</a> and the version we assessed was the <a href="https://github.com/enketo/enketo-express/releases/tag/6.2.1">version 6.2.1</a>, built with the official Dockerfiles.</p> <p>Enketo is a cross platform software used to (quoting):</p>