Let’s try

In this assignment, you will add a comment to the photo, when submitting the form try to execute an XXE injection with the comments field. Try listing the root directory of the filesystem.

Solution

• Hints: Try submitting the form and see what happens. Use ZAP/Burp to intercept the request and try to include your own DTD. Try to include a doctype "(<!DOCTYPE...)" in the xml. This exercise is all about understanding how the XXE injection works.

The include can be as follows: <!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]>e

• Do not forget to reference the entity.

In the comment you should references: <comment><text>&root;test</text></comment>

• For this exercise we can use Burp, Zap or Developer Tools. First open the Intercepter (Burp) or Break (Zap). Then submit a comment on WebGoat. Analyze the request.

• Analyze the format of the text "I am a cat" and the path of the Post request.

• In the case of BurpSuite or ZAP, replace the text in the button for the following, to probe that the server is vulnerable:

<?xml version="1.0"?><!DOCTYPE comment [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;</text></comment>

• With Developer tools you can do the following steps:

Open the Development Tools in the browser, and go to the Network tab.

On WebGoat, post a comment.

Locate the query to simple in the Network tab and click on Edit and Resend.

Edit the body with:

<?xml version="1.0"?><!DOCTYPE comment [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;</text></comment>

• Details about the solution come in the following page.