WebGoat XXE 4
This lesson is the first test in understanding XXE, so let’s start by inputting some text and submit the comment
The comment appears as expected, let’s see what shows up in Burp
The comment is in the request as expected, and of course it is not the solution of the lesson
What it’s needed is a XML entity requesting the / directory of the filesystem, something like the following code
<?xml version="1.0"?>
<!DOCTYPE another [
<!ENTITY fs SYSTEM "file:///">
]>
<comment>
<text>
yea
&fs;
</text>
</comment>
By adding the DOCTYPE (as of the previous lessons in WebGoat XXE), a new ENTITY pointing to the filesystem root and by subsequently referencing to it, the lesson is completed
After reloading the lesson page, the newly added comment has the “yea” text plus a listing of the filesystem / directory
WebGoat XXE 7
Same exercise as XXE 4, but this time the webapp is using a “modern REST framework”, let’s input a comment
The comment pops up as before
This time the POST request data is JSON, and the response says clearly that in order to get an XXE injection the request must be XML
WebGoat hints on this lesson helps a lot, it suggest to check the request “Content-Type” header
So by sending the request to Burp Repeater, changing “Content-Type” to “application/xml” and putting the same XML data as of the previous exercise the lesson is completed
And the new comment shows once again the content of the / directory on the system
This concludes WebGoat XXE 4 7
I hope you liked it.
PVXs — https://twitter.com/pivixih
