Adding the DOCTYPE , a new ENTITY pointing to the filesystem root:
Modify request with Burpsuite, you can see the data is in json type.
The response is: "You are posting JSON which does not work with a XXE"
First, you must change Content-Type from application/json to application/xml. Next, do similarly with past challenge:
File to upload to webgoft:
Modify Post request (post command with burpsuite) and edit to:
Reload page and submit value you receive:
Last updated 4 years ago
<?xml version="1.0" encoding="UTF-8"?> <!ENTITY secret SYSTEM 'file:///home/webgoat/.webgoat-8.2.2//XXE/secret.txt'>
