search

labs

hashtag
Lab - 1: Exploiting XXE using external entities to retrieve files (A)

POST /product/stock HTTP/1.1
...
Referer: https://0aef009d032939ebc0db06e7004100cc.web-security-academy.net/product?productId=1
...
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe; </productId><storeId>1</storeId></stockCheck>

hashtag
Lab - 2: Exploiting XXE to perform SSRF attacks (A)

  • This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.

  • The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.

POST /product/stock HTTP/1.1
...
Referer: https://0a40003e04c7970fc0d988b500d80014.web-security-academy.net/product?productId=1
...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

will result latest and follow these results and find that

hashtag
Lab - 3: Blind XXE with out-of-band interaction (P)

hashtag
Lab - 4: Blind XXE with out-of-band interaction via XML parameter entities (P)

hashtag
Lab - 5: Exploiting blind XXE to exfiltrate data using a malicious external DTD (P)

  • This lab has a "Check stock" feature that parses XML input but does not display the result. To solve the lab, exfiltrate the contents of the /etc/hostname file.

  • This end point has XXE vulns:

  • At the exploit server's body, write as an external DTD.

  • This payload path is at https://exploit-0a84007903c25035c024105a01d000b3.web-security-academy.net/exploit

  • At the vulns end-point,

  • It calls the exploit DTD from above as %xxe entity.

  • In exploit DTD, it calls the %file as /?x=%file GET request

  • see in the access log of that exploit server

hashtag
Lab - 6: Exploiting blind XXE to retrieve data via error messages (P)

  • This lab has a "Check stock" feature that parses XML input but does not display the result. To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file. The lab contains a link to an exploit server on a different domain where you can host your malicious DTD.

  • The following end point is vulnerable.

  • In the exploit server body,

  • At the vuln endpoint,

hashtag
Lab - 7: Exploiting XXE to retrieve data by repurposing a local DTD (E)

  • This lab has a "Check stock" feature that parses XML input but does not display the result. To solve the lab, trigger an error message containing the contents of the /etc/passwd file. You'll need to reference an existing DTD file on the server and redefine an entity from it. Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd containing an entity called ISOamso.

  • At XXE vuln end point, enter that payload.

hashtag
Lab - 8: Exploiting XInclude to retrieve files (P)

  • This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack. To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file.

  • At XXE vuln end point,

hashtag
Lab - 9: Exploiting XXE via image file upload

  • This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files. To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the "Submit solution" button to submit the value of the server hostname.

  • upload svg file

Previousnotes

Last updated