RedTeam
3.Web-Hacking
4.Injection
XXE
Commands
5.xxe Xinclude
  • Try changing format from json to XML
  • try adding entity inside a normal parameter EX: ?id=%26entity;&pass=123 (GET or POST)