Table of Contents Steps for Exploiting XXE (XML External Entity) Vulnerability
In this exercise, I demonstrated how to exploit an XXE (XML External Entity) vulnerability using a deliberately vulnerable website and Burp Suite as the primary tool for intercepting and modifying requests.
1. Pre-Settings
- Ensure Burp Suite is installed and configured as a proxy in your browser.
- Enable the browser proxy settings so all HTTP/HTTPS traffic flows through Burp Suite.
- Turn on the intercept option in Burp Suite.
2. Visiting the Vulnerable Website
The vulnerable website used for the demonstration is:
http://testhtml5.vulnweb.com/#/popular
This site is intentionally insecure and can be used to practice web vulnerability testing.
3. Performing “Forgot Password”
On the website, I navigated to the Forgot Password functionality. This typically generates a request where the application uses XML to process user inputs.
4. Intercepting the Request with Burp Suite
- Burp Suite was used to capture the HTTP request triggered by the “Forgot Password” form submission.
- The request structure revealed that the application was making use of Explicit XML entities.
- This indicated that the site was potentially vulnerable to XXE Injection.
5. Crafting and Injecting the Payload
Since the request used XML, I attempted to modify the entity definitions to include a malicious payload. For example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<request>
<username>&xxe;</username>
</request>
After modifying the request and forwarding it through Burp Suite, the server processed the malicious XML entity. This resulted in sensitive file disclosure from the backend server, confirming the XXE vulnerability.
6. Understanding the Breach
- The application failed to sanitize XML inputs and accepted user-controlled entities.
- By exploiting this weakness, attackers can retrieve sensitive files, execute SSRF (Server-Side Request Forgery), or even achieve remote code execution in some cases.
- In this demonstration, the vulnerability was triggered during a password reset process, a critical security function, making it even more dangerous.
7. Mitigation Strategies
- Disable DTDs (Document Type Definitions) in XML parsers whenever possible.
- Use modern, secure data formats such as JSON instead of XML where applicable.
- Validate and sanitize user input to ensure external entities are not processed.
- Apply the principle of least privilege so applications cannot access sensitive files.
Conclusion: This step-by-step demonstration shows how an XXE vulnerability can be exploited using Burp Suite. It also highlights the importance of secure XML parsing and strict input validation to prevent such breaches in real-world applications.
