Writeup-CTF
  • CTF events
    • DamCTF-2021
    • N1CTF 2021
    • WANNAGAME CHAMPIONSHIP2021
      • After end
    • DefCamp CTF 21-22
  • Root-me
    • SQL Injection - Filter bypass
    • GraphQL
    • JSON Web Token (JWT) - Public key
    • LDAP injection - Blind
    • Python - Blind SSTI Filters Bypass
    • SQL Injection - Filter bypass
    • SQL Truncation
    • Page 1
    • [Root-me]PHP - Unserialize overflow
  • WebGoat
    • Injection
    • XXE
    • Broken Authentication
      • JWT Token
      • Password reset
    • Sensitive Data Exposure
      • Insecure login
    • Broken Access Control
      • Insecure Direct Object References
    • Cross Site Scripting (XSS)
    • Cross site request forgery
      • Cross-Site Request Forgeries
      • Server-Side Request Forgery
    • Client site
      • Client site filtering
      • Bypass front-end restrictions
      • HTML tampering
    • Insecure Deserialization
    • Vulnerable Components
    • Challenges
      • Admin lost password
      • Without password
      • Without account
Powered by GitBook
On this page
  • 5/
  • 7/
  • 11/ Blind XXE assignment
  1. WebGoat

XXE

PreviousInjectionNextBroken Authentication

Last updated 3 years ago

5/

Adding the DOCTYPE , a new ENTITY pointing to the filesystem root:

7/

Modify request with Burpsuite, you can see the data is in json type.

The response is: "You are posting JSON which does not work with a XXE"

First, you must change Content-Type from application/json to application/xml. Next, do similarly with past challenge:

11/ Blind XXE assignment

File to upload to webgoft:

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY secret SYSTEM 'file:///home/webgoat/.webgoat-8.2.2//XXE/secret.txt'>

Modify Post request (post command with burpsuite) and edit to:

Reload page and submit value you receive: