Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

XXE file protocol to retrieve files

Jaak | Last updated: Jun 17, 2022 09:41PM UTC

Hello, first of all: Thanks for the amazing learning materials, I have really learned a lot! My question concerns XXE, specifically the "file" protocol mentioned in the learning materials. It says that: "The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded [...] The URL can use the file:// protocol, and so external entities can be loaded from file. For example: <!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>" Now, while that works in the portswigger labs I have had one encounter in a different challenge where using the file protocol to retrieve a file fails: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///../../core/config.dat"> ]><root><email>&xxe;</email><password>abc</password></root> (I get error messages instead of the contents of the file), while just using the file name (without the file protocol) works just fine: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "./../../core/config.dat"> ]><root><email>&xxe;</email><password>abc</password></root> The error message provided is basically: Warning: DOMDocument::loadXML():I/O warning: failed to load external entity "file:///../core/config.dat" in process.php Now what I'd like to know: 1) Does anyone know why that is? Might it be because of how the lab/underlying infrastructure is set up? 2) Is it better/possible to always only use the path to the file without the "file" protocol?

Jaak | Last updated: Jun 17, 2022 09:55PM UTC