XML External Entity (XXE) Injection



Description

This test attacks the system that parse XML input.


Examples/Methods/Results

Burp Suite

In the following example we can try insert the following xml file that will display &xee which will be file://etc/passwd to call password. These xxe codes can be found online.

No image found

We then try upload it on the page that can take documents.

No image found

When we intercept it using burp suite, We can see the uploaded xml file and the data inside it, specifically etc/passwd at the bottom

No image found

Forward to repeater

No image found

Once sent we get location for password.

No image found

We can try change etc/passwd to etc/shadow and resend to see first password (root) in the shadow file.

No image found

Checklist

Things to consider:

No image found

Further Readings

Walkthrough example