XXE clarification

Hello fellow ninjas!

I am new to web app sec, and I have submitted all P5s, as these seem to be the only things I can find. Its great for learning, and Im attempting to use no tools other than burp and browser because I want to learn manually. I feel like I spend alot of time getting lost following a focused methodology, like ill poke at a post request, then ill see some interesting url in response then get lost following that pattern. So, I really want to start “specializing” in a few bugs so Im not spending time on p5, sadly, these are the only bugs I can really recoginize as im not familiar yet with I am seeing. Id like to start working with xxe and ive been reading all i can, but im a bit confused on the hands on part in real world app. I guess where im confused is which payloads to try some have different encoding and where to try to try payload. do i try it on a page where xml or json is accepted? switching content types, methods like swapping get to post then pasting a payload. Any advice?

Hi @paxtammy,

reading your words I think you are in the right direction. :+1:
About your XXE question: it really depends on the context, usually when the request has an XML structure then you can test it easily. Sometimes the XML request is sent encoded in bas64, I saw that one time but I don’t remember where. Other times the endpoint accepts any request content type but you have to change the original request (JSON or whatever) to test it.
It’s normal to be confused, you probably know that, so keep reading about it until your mind “clicks” and you get it.
I wouldn’t try random payloads because that way you are not going to understand what you are doing and, for what I understand, it is not your goal.

Thanks for your feedback!
Ive been catching the gist as Ive been watching videos and reading up on xxe. I think its some what rare to see an xml formatted request, but im new so I cant tell. But what ive been doing is on a post req like a login, or upload, i change the content type to json, or xml, application/xml or application/json

then remove all paratermeters and post a xxe payload, error based, as i dont have a server yet to test, as im only able to use windows at moment, my kali linux box hdd fried :frowning:

I guess what i really want to know most is what type of pages or requests to attempt xxe on, recently i was messing with xxe with method i described above and app response came back with some xml but with values like xs:something formatted in xml.
not sure what that means, but didnt return anything juicy or exciting.

You never know if the server process XML until you test it, so you are doing it right. If you have the patience to test it even if the endpoint doesn’t look like it accepts XML, then you may be able to find some bugs usually not found.

You are right that formatted XML request are very rare.

I think you are confused with JSON and XML… The XXE vulnerability only is exploitable where a XML request is processed, not when a JSON one is processed. Sometimes the endpoints that accept JSON, accept XML too (very common in Ruby on Rails web applications).

The easiest way to test is when the error returns an error for your request. The blind XXE is harder to identify when you are starting out, because it’s “blind” :D. However, it would be good if you set up a server for your tests or at least use something like http://requestb.in, because it’s faster and easier I think than pointing to your public IP address and you won’t always have access to a public IP.