Detecting and exploiting an XXE
The process to detect this kind vulnerability in general is as follows:
- If it's possible, download an XML document generated by the application so you know the structure. If not, create a simple template, like this:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ] > <foo>&xxe;</foo>
- See if it's possible to add a reference to a resource; a good trick that's commonly used by attackers is to generate a reverse response that could be captured in a server where we have control—something like this:
GET 144.76.194.66 /XXE/ 10/29/15 1:02 PM Java/1.7.0_51- If it's not possible to add an external reference, but you receive an error, modify the request and submit tags:
<cosa></cosa>
To test. If the error disappears, it means that the parser is accepting the tags as valid, so it might be vulnerable.
- Also, you can try entering data before or in...
