A5:2021 | Security Misconfiguration (4) | Cycubix Docs
Let’s try
In this assignment, you will add a comment to the photo, when submitting the form try to execute an XXE injection with the comments field. Try listing the root directory of the filesystem.
Solution
Hints: Try submitting the form and see what happens. Use ZAP/Burp to intercept the request and try to include your own DTD. Try to include a doctype "(<!DOCTYPE...)" in the xml. This exercise is all about understanding how the XXE injection works.
Do not forget to reference the entity.
For this exercise we can use Burp, Zap or Developer Tools. First open the Intercepter (Burp) or Break (Zap). Then submit a comment on WebGoat. Analyze the request.
Analyze the format of the text "I am a cat" and the path of the Post request.
In the case of BurpSuite or ZAP, replace the text in the button for the following, to probe that the server is vulnerable:
<?xml version="1.0"?><!DOCTYPE comment [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;</text></comment>
With Developer tools you can do the following steps:
Open the Development Tools in the browser, and go to the Network tab.
On WebGoat, post a comment.
Locate the query to simple
in the Network tab and click on Edit and Resend.
Edit the body with:
<?xml version="1.0"?><!DOCTYPE comment [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;</text></comment>
Details about the solution come in the following page.
Last updated