Detecting XML External Entities                                             Chapter 7

            Testing for XXE ` where to find it, and how

            to verify it


            As we discussed previously, none of the inputs available to you need to state that the
            application accepts XML for a service to be vulnerable to XXE: the XML parsing layer of the
            application could be opaque to you, stitching together data that you sent as a (&5 or 1045
            request into an XML document.


            Besides services that use XML as their primary document formatting system under-the-
            hood, there are also many API services that support different data formats by default. Even
            if you're making a GET request and receiving JSON in return, you can test whether or not
            that API endpoint can format your request as XML by trying the XML content header, that
            is, $POUFOU 5ZQF  BQQMJDBUJPO YNM. Because services often have this capacity to switch
            between different content types that are built-in, the owner of the service might not know
            that it has the ability to format requests as XML.



            XXE ` an end-to-end example


            Let's set up our XXE lab so that we can see the vulnerability in action. After downloading
            Vagrant, VirtualBox, and cloning the git repository from IUUQT   HJUIVC DPN KCBSPOF
            YYFMBC, we can start the application by navigating into the YYFMBC directory and running
            WBHSBOU VQ. After downloading the Ubuntu images and other dependencies, your app
            should be up and running on IUUQ                 :


























                                                    [ 120 ]