XML external entity (XXE) injection

In this section, we’ll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE injection, and summarize how to prevent XXE injection attacks.

What is XML external entity injection?

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Lab: Exploiting XXE using external entities to retrieve files

This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.

To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file.

Visit lab then click any post to view detail.

Then check stock

Go your burp
http history then see the request

Send the request to repeater.

You can this stock check using xml code then Insert the following external
entity definition in between the XML declaration and the stockCheck element:

<!DOCTYPE test [ <!ENTITY
xxe SYSTEM "file:///etc/passwd"> ]>

I do one mistake I not add ; semicolon in end of xxe in product id. 

You see the data is here and now your lab is solve.