Exploiting XXE Using External Entities to Retrieve Files

The target has a feature (Check stock) that parses XML input and returns any unexpected values in the response. Thus, it is possible to inject an XML external entity to retrieve the contents of the /etc/passwd file.

1. Visit the product page, click “Check stock” and intercept the resulting POST request.
2. Insert the malicious external entity definition between the XML declaration and the Stock check element.

<!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>

3. Replace the productId number with a reference to the external entity: &xxe;

4. The response should contain: “Invalid product Id” followed by the contents of the /etc/passwd file.