Introduction
So, this is our 9th lab where we will be performing XML or XXE injection. This lab is provided by PortSwigger Web Security and is named “Exploiting XXE to retrieve data by repurposing a local DTD.” In today’s article, we will solve this lab.
Lab Description Of Exploiting XXE to retrieve data by repurposing a local DTD
In this lab, we have a stock check feature that parses XML input but does not display the result. To solve the lab, we need to trigger an error message. Triggering the error message will display some content, including the “/etc/passwd” file. You will need the reference DTD file on the server.
Hint: The system is using the GNOME desktop environment, which provides its own DTD. Location: /usr/share/yelp/dtd/docbookx.dtd. There is an entity named ISOamso in it.
Lab Solution
To solve the lab, first, you need to access the lab. After accessing the lab, you will see various products. Click on any product to view its details.
Now, you will find a button labeled “Check stock.” Click on it and intercept the request in Burp Suite.
<!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamso ' <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; '> %local_dtd; ]>
After intercepting, send the post-based request to the repeater. Copy the code provided above and place it between the XML declaration and the stock check element.
In the provided DTD, you can clearly see that we are attempting to access the file:///etc/passwd file from the server. Here, we are using the local DTD of GNOME. local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd
we have successfully solved the lab called Exploiting XXE to retrieve data by repurposing a local DTD.
Congratulations!
If you want to learn web security, you can find all web security-related articles on our website. We upload articles on web security on a daily basis, so stay with us.
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.