In part one of XXE vulnerability, we learn about some basics of XML, and in the second part of XXE Vulnerability, we will learn about the basic concept of XXE, like what XXE is and a basic example of XXE.
First, we will learn what XXE is.
Due to misconfiguration in the XML parser, The XML parser parses the reference of the external entity present in the XML document and processes it.
Let's see a basic example of XXE vulnerability.
I have one vulnerable Web application that takes RSS feed as input and parses it using the XML parser
Now I will create an RSS feed XML document that contains the malicious code to read /etc/passwd file and host that file in an HTTP server because vulnerable web application only accepts URL
In the above payload, the first line is prolog then we define the DTD in which we have defined the external entity that will include the /etc/passwd file in the content tag.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<feed>
<title>Malicious RSS</title>
<description>This is a Malicious RSS File</description>
<entry>
<title>Sensitive Data</title>
<link href="http://example.com"></link>
<content>&xxe;</content>
</entry>
</feed>{codeBox}
In the above payload, the first line is prolog then we define the DTD in which we have defined the external entity that will include the /etc/passwd file in the content tag.
So, as you can see XML parser displays the context of /etc/passwd file.