A5:2021 | Security Misconfiguration (10) | Cycubix Docs
PreviousA5:2021 | Security Misconfiguration (9) | Cycubix DocsNextA5:2021 | Security Misconfiguration (11) | Cycubix Docs
Last updated
Was this helpful?
Last updated
Was this helpful?
In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page. Or the resource you are trying to read contains illegal XML character which causes the parser to fail. Let’s start with an example, in this case we reference an external DTD which we control on our own server.
As an attacker you have WebWolf under your control (this can be any server under your control.), you can for example use this server to ping it using
How do we use this endpoint to verify whether we can perform XXE?
We can again use WebWolf to host a file called attack.dtd, create this file with the following contents:
Now submit the form change the xml using to:
Now in WebWolf browse to 'Incoming requests' and you will see:
So with the XXE we are able to ping our own server which means XXE injection is possible. So with the XXE injection we are basically able to reach the same effect as we did in the beginning with the curl command.