Lab: Exploiting XXE using external entities to retrieve files

Joel O.Joel O.
2 min read

Lab Scenario: Our mission is to exploit XXE through a web application's "Check stock" feature, specifically using external entities to retrieve files. By intercepting and manipulating a POST request, we intend to use XXE to trigger the retrieval of sensitive information from the server, in this case, the contents of the /etc/passwd file. Let's proceed with the solution:

  1. Intercepting the POST Request:

    • Visit a product page and click "Check stock."

    • Intercept the resulting POST request using Burp Suite.

  2. Inserting External Entity Definition:

    • Insert the following external entity definition between the XML declaration and the stockCheck element:

        <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

  3. Replacing the productId with External Entity Reference:

    • Replace the productId number with a reference to the external entity: &xxe;.

    • The response should contain "Invalid product ID:" followed by the contents of the /etc/passwd file.

  4. Confirming the File Retrieval:

    • Inspect the response to ensure that it contains the expected content of the /etc/passwd file.

  5. Submitting the Solution:

    • Use the appropriate method provided by the lab to submit the solution, confirming the successful retrieval of sensitive information.

Conclusion: This lab exercise provides hands-on experience in exploiting XXE vulnerabilities to retrieve files from a web application. By following this step-by-step guide, users can deepen their understanding of XXE attacks and the potential risks associated with improper handling of XML input. Stay informed, keep learning, and continue exploring the dynamic field of cybersecurity to contribute to a more secure online environment.

Reference:

https://portswigger.net/web-security/xxe

https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

8
Subscribe to my newsletter

Read articles from Joel O. directly inside your inbox. Subscribe to the newsletter, and don't miss out.

xxeBurpsuite portswiggerBurp Suitewebsecurity#cybersecurityhandson

Written by

Joel O.
Joel O.

A passionate cybersecurity enthusiast and cloud aficionado. I am on a mission to unravel the complexities of the ever-evolving cyber landscape and guide you through the vast expanse of cloud technology. As a cybersecurity professional, I bring a wealth of experience in securing digital ecosystems and defending against cyber threats. My journey in the cloud realm has been both thrilling and enlightening, and I am here to share my insights, discoveries, and practical tips with you. In these virtual pages, expect a fusion of in-depth cybersecurity analyses and explorations into the limitless possibilities of cloud computing and cybersecurity. Whether you're a seasoned cybersecurity professional, a cloud enthusiast, or someone just stepping into the digital frontier, there's something here for you.