PHP-Fusion Powered Website - Articles: CompTIA Security+ Labs

Users Online

· Guests Online: 58

· Members Online: 0

· Total Members: 188
· Newest Member: meenachowdary055

Forum Threads

Newest Threads

No Threads created

Hottest Threads

No Threads created

Latest Articles

· Do while loop
· The for loop in C
· C while loop
· Pointers in C
· Functions in C

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site,
or upgrade to a Web browser that does support JavaScript; Firefox, Safari, Opera, Chrome or a version of Internet Explorer newer then version 6.

Articles Hierarchy

Articles Home » CompTIA » CompTIA Security+ Labs

CompTIA Security+ Labs

Lab 90 – OWASP A4 EML External Entities (XXE)

Back to lab listing.

Lab Objective:

Learn how to take advantage of an XML External Entity vulnerability to retrieve files.

Lab Purpose:

An XML External Entity vulnerability

Lab Tool:

Kali Linux.

Lab Topology:

You can use Kali Linux in a VM and Burp Suite for this lab.

Lab Walkthrough:

Task 1:

In this lab, I will be using PortSwiggers web academy to demonstrate an XXE injection attack. You will need to register for an account at the following link to complete this lab:

https://portswigger.net/web-security/dashboard

The lab itself can be accessed at the following link once you have created an account:

https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

Task 2:

Once setup on the site, access the lab. You will be presented with a store webpage. Click “View details” button on any product in the store.

Start Burp Suite and turn intercept on.

You will notice a button at the bottom of the screen called “Check Stock”. Once intercepting mode on, press the “Check stock” button and capture the resulting request in Burp Suite.

With the request captured, right-click and press “Send to Repeater”. Navigate to the Repeater tab where we will continue to edit the request.

The way in which the server serves XML requests is vulnerable in that it parses XML input and returns any unexpected values in the response. This means that we are able to execute commands on the server OS.

To do this, we need to locate the section at the end and create a space between the <?xml version=”1.0″ encoding=”UTF-8″?> and <stockCheck>. In this space, we want to enter the following line of code:

<!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>

We need to make another change before we can submit this request. We need to change the number under the <productId> tag to the following:

&xxe;

The following screenshot shows what the full request should look like:

Once the request has been altered, we can submit the request by pressing the “Send” button on the top left of the Burp Suite Repeater window. You can view the response on the right screen.

You will notice that, while the response returned a Bad Request, it also returned the contents of the /etc/passwd file.

So, what we just did is take an advantage of an XXE vulnerability and pass a command to the OS running on the server.