- Navigate to the XML External Entity Injection page, that is, through Others | XML External Entity Injection | XML Validator:
- While on the XML Validator page, perform the example XML that is provided on the page. Click on the Validate XML button:
- Switch to Burp Proxy| HTTP history tab and look for the request you just submitted to validate the XML. Right-click and send the request to the repeater:
- Note the value provided in the xml parameter:
- Use Burp Proxy Interceptor to replace this XML parameter value with the following payload. This new payload will make a request to a file on the operating system that should be restricted from view, namely, the /etc/passwd file:
<?xml version="1.0"?>
<!DOCTYPE change-log[
<!ENTITY systemEntity SYSTEM "../../../../etc/passwd">
]>
<change-log>
<text>&systemEntity;</text>
</change-log>
Since there are odd characters and spaces in the new XML message, let's type this payload into the Decoder section and URL-encode it before we paste it into the xml parameter.
- Switch to the Decoder section, type or paste the new payload into the text area. Click the Encode as… button and select the URL option from the drop-down listing. Then, copy the URL-encoded payload using Ctrl + C. Make sure you copy all of the payload by scrolling to the right:
- Switch to the Burp Proxy Intercept tab. Turn the interceptor on with the Intercept is on button.
- Return to the Firefox browser and reload the page. As the request is paused, replace the current value of the xml parameter with the new URL-encoded payload:
- Click the Forward button. Turn interceptor off by toggling the button to Intercept is off.
- Note that the returned XML now shows the contents of the /etc/passwd file! The XML parser granted us access to the /etc/passwd file on the operating system: