Skip to content
Web Server that serves a single file and keeps the connection open until user releases it.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
BlockingServer.class
BlockingServer.java
README.md

README.md

Blocking server will serve a given file regardless of the resource requested and will keep the connection open after sending the file until the user releases it by pressing Q + ENTER.

This server can be used to weaponize XXE and SSRF attacks and upload arbitrary files to the server. Note that the attcker wont be able to control the upload directory, the name nor the extension, so other vulnerabilities may be required for a successful attack.

Credits go to Timothy D. Morgan (@ecbftw) and his great talk on XXE during OWASP AppSec US 2013: Video

Usage:

javac BlockingServer.java

java BlockingServer

Press Q and ENTER when you want to release the connection

You can’t perform that action at this time.