Exploiting XXE using external entities to retrieve files

https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

Let's check the stock of one of the products.

Since we are proxying the requests through Burp Suite, we can go to Proxy > HTTP History to view the request.

We can see that the request contains an XML entity.

Let's forward this request to the Repeater for further modification.

Once in the Repeater tab, declare the following internal entity after the XML prologue:

<!DOCTYPE test 
[<!ENTITY test "test_entity">]
>

And reference the entity within the <productId> tag as follows:

<productId>
    &test;
</productId>

The response includes out test entity. This tells us that the application is vulnerable to XXE injection.

Now, in place of the internal entity, declare the following entity:

<!DOCTYPE test 
[<!ENTITY test SYSTEM "file:///etc/passwd">]
>

We have solved the lab.

Last updated 10 months ago