diff --git a/README-jp.md b/README-jp.md
index 8d7754f..690198c 100644
--- a/README-jp.md
+++ b/README-jp.md
@@ -52,6 +52,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
- [Books](#books)
- [DNS Rebinding](#dns-rebinding)
- [Evasions](#evasions)
+ - [XXE](#evasions-xxe)
- [CSP](#evasions-csp)
- [WAF](#evasions-waf)
- [JSMVC](#evasions-jsmvc)
@@ -328,6 +329,11 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
## Evasions
+
+### XXE
+
+- [Bypass Fix of OOB XXE Using Different encoding](https://twitter.com/SpiderSec/status/1191375472690528256) - Written by [@SpiderSec](https://twitter.com/SpiderSec).
+
### CSP
@@ -407,7 +413,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
### SQL Injection
-- [MySQL Error Based SQL Injection Using EXP](https://www.exploit-db.com/docs/english/37953-mysql-error-based-sql-injection-using-exp.pdf) - Written by [@osandamalith](https://twitter.com/osandamalith).
+- [MySQL Error Based SQL Injection Using EXP](https://www.exploit-db.com/docs/english/37953-mysql-error-based-sql-injection-using-exp.pdf) - Written by [@osandamalith](https://twitter.com/osandamalith).
- [SQL injection in an UPDATE query - a bug bounty story!](http://zombiehelp54.blogspot.jp/2017/02/sql-injection-in-update-query-bug.html) - Written by [Zombiehelp54](http://zombiehelp54.blogspot.jp/).
- [GitHub Enterprise SQL Injection](http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html) - Written by [Orange](http://blog.orange.tw/).
- [Making a Blind SQL Injection a little less blind](https://medium.com/@tomnomnom/making-a-blind-sql-injection-a-little-less-blind-428dcb614ba8) - Written by [TomNomNom](https://twitter.com/TomNomNom).
@@ -715,6 +721,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
- [Dnslogger](https://wiki.skullsecurity.org/index.php?title=Dnslogger) - DNS Logger by [@iagox86](https://github.com/iagox86).
- [CyberChef](https://github.com/gchq/CyberChef) - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by [@GCHQ](https://github.com/gchq).
+- [ntlm_challenger](https://github.com/b17zr/ntlm_challenger) - Parse NTLM over HTTP challenge messages by [@b17zr](https://github.com/b17zr).
## Social Engineering Database
diff --git a/README-zh.md b/README-zh.md
index 4e3b482..b2eb1b0 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -52,6 +52,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
- [Books](#books)
- [DNS Rebinding](#dns-rebinding)
- [Evasions](#evasions)
+ - [XXE](#evasions-xxe)
- [CSP](#evasions-csp)
- [WAF](#evasions-waf)
- [JSMVC](#evasions-jsmvc)
@@ -354,6 +355,11 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
## Evasions
+
+### XXE
+
+- [Bypass Fix of OOB XXE Using Different encoding](https://twitter.com/SpiderSec/status/1191375472690528256) - Written by [@SpiderSec](https://twitter.com/SpiderSec).
+
### CSP
@@ -440,7 +446,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
- [屌智硬之mysql不用逗号注入](http://www.jinglingshu.org/?p=2220) - Written by [jinglingshu](http://www.jinglingshu.org/?p=2220).
- [见招拆招:绕过WAF继续SQL注入常用方法](http://www.freebuf.com/articles/web/36683.html) - Written by [mikey](http://www.freebuf.com/author/mikey).
-- [MySQL Error Based SQL Injection Using EXP](https://www.exploit-db.com/docs/english/37953-mysql-error-based-sql-injection-using-exp.pdf) - Written by [@osandamalith](https://twitter.com/osandamalith).
+- [MySQL Error Based SQL Injection Using EXP](https://www.exploit-db.com/docs/english/37953-mysql-error-based-sql-injection-using-exp.pdf) - Written by [@osandamalith](https://twitter.com/osandamalith).
- [SQL injection in an UPDATE query - a bug bounty story!](http://zombiehelp54.blogspot.jp/2017/02/sql-injection-in-update-query-bug.html) - Written by [Zombiehelp54](http://zombiehelp54.blogspot.jp/).
- [GitHub Enterprise SQL Injection](http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html) - Written by [Orange](http://blog.orange.tw/).
- [Making a Blind SQL Injection a little less blind](https://medium.com/@tomnomnom/making-a-blind-sql-injection-a-little-less-blind-428dcb614ba8) - Written by [TomNomNom](https://twitter.com/TomNomNom).
@@ -759,6 +765,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
- [Dnslogger](https://wiki.skullsecurity.org/index.php?title=Dnslogger) - DNS Logger by [@iagox86](https://github.com/iagox86).
- [CyberChef](https://github.com/gchq/CyberChef) - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by [@GCHQ](https://github.com/gchq).
+- [ntlm_challenger](https://github.com/b17zr/ntlm_challenger) - Parse NTLM over HTTP challenge messages by [@b17zr](https://github.com/b17zr).
## Social Engineering Database
diff --git a/README.md b/README.md
index fbf7c0b..12eb732 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
- [Books](#books)
- [DNS Rebinding](#dns-rebinding)
- [Evasions](#evasions)
+ - [XXE](#evasions-xxe)
- [CSP](#evasions-csp)
- [WAF](#evasions-waf)
- [JSMVC](#evasions-jsmvc)
@@ -325,6 +326,11 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
## Evasions
+
+### XXE
+
+- [Bypass Fix of OOB XXE Using Different encoding](https://twitter.com/SpiderSec/status/1191375472690528256) - Written by [@SpiderSec](https://twitter.com/SpiderSec).
+
### CSP
@@ -403,7 +409,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
### SQL Injection
-- [MySQL Error Based SQL Injection Using EXP](https://www.exploit-db.com/docs/english/37953-mysql-error-based-sql-injection-using-exp.pdf) - Written by [@osandamalith](https://twitter.com/osandamalith).
+- [MySQL Error Based SQL Injection Using EXP](https://www.exploit-db.com/docs/english/37953-mysql-error-based-sql-injection-using-exp.pdf) - Written by [@osandamalith](https://twitter.com/osandamalith).
- [SQL injection in an UPDATE query - a bug bounty story!](http://zombiehelp54.blogspot.jp/2017/02/sql-injection-in-update-query-bug.html) - Written by [Zombiehelp54](http://zombiehelp54.blogspot.jp/).
- [GitHub Enterprise SQL Injection](http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html) - Written by [Orange](http://blog.orange.tw/).
- [Making a Blind SQL Injection a little less blind](https://medium.com/@tomnomnom/making-a-blind-sql-injection-a-little-less-blind-428dcb614ba8) - Written by [TomNomNom](https://twitter.com/TomNomNom).
@@ -710,6 +716,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
- [Dnslogger](https://wiki.skullsecurity.org/index.php?title=Dnslogger) - DNS Logger by [@iagox86](https://github.com/iagox86).
- [CyberChef](https://github.com/gchq/CyberChef) - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by [@GCHQ](https://github.com/gchq).
+- [ntlm_challenger](https://github.com/b17zr/ntlm_challenger) - Parse NTLM over HTTP challenge messages by [@b17zr](https://github.com/b17zr).
## Social Engineering Database