Detecting XML External Entities                                             Chapter 7

            Instructions to reproduce

            Our instructions to reproduce are to navigate to the form and use a proxy tool (in our case,
            Burp Proxy) to replace the form data with our payload.


            Attack scenario

            We've already seen how an entity expansion pointing to  EFW SBOEPN can cause a server
            to crash. Using an XXE attack, we can also disclose the contents of sensitive server files like
             FUD QBTTXPSE and, in some cases, perform RCE.


            Final report

            Let's use this information to format our submission:

                $"5&(03:  99& BUUBDL
                5*.&                           65$

                63-  IUUQ

                1":-0"%
                  YNM WFSTJPO       FODPEJOH  65'
                  %0$5:1& SFQMBDF <  &/5*5: FYBNQMF  4VDDFTT   >
                 SPPU  OBNF &EXBSE
                )BXLT  OBNF  UFM             UFM  FNBJM  FYBNQMF   FNBJM  QBTTXPSE SPHVFNPP
                O  QBTTXPSE   SPPU

                .&5)0%0-0(:  5IF WVMOFSBCJMJUZ XBT EJTDPWFSFE CZ NBOVBMMZ JOUFSDFQUJOH BOE
                FEJUJOH UIF DSFBUF BDDPVOU GPSN UP JODMVEF UIF BCPWF FOUJUZ SFQMBDFNFOU
                DIBOHFT

                */4536$5*0/4 50 3&130%6$&

                   /BWJHBUF UP UIF DSFBUF BDDPVOU GPSN BU IUUQ
                   &OUFS EVNNZ WBMVFT JOUP UIF GPSN BOE TVCNJU JU

                   *OUFSDFQU UIF HFOFSBUFE )551 1045 SFRVFTU VTJOH B UPPM MJLF #VSQ 1SPYZ
                &EJU UIF 9.- EBUB UP JODMVEF UIF QBZMPBE BCPWF

                   'PSXBSE UIF 1045 SFRVFTU PO UP UIF TFSWFS

                "55"$, 4$&/"3*0

                                                    [ 126 ]