XML External Entity Attacks (XXE) - Low Security Level

Solution:

*Note: I am using BurpSuite pre configured browser, in case if you are not using the pre configured browser then please configure the browser with proxy and then follow the below steps.

Step 1. Click on Any bugs button and pass the request through BurpSuite.

Step 2. Right click and send the page to the Repeater Tab.

Step 3. Click on Send and check the response.


Step 4. Replace the code with below payload as shown in the video


Note: As angled brackets aren't allowed in YouTube Description, replacing them with ( ), kindly make the necessary change.


(?xml version="1.0" encoding="utf-8"?)
(!DOCTYPE root
[
(!ENTITY XXE SYSTEM "file:///etc/passwd")
])
(reset)
(login)&XXE;(/login)
(secret)
PseudoTime
(/secret)
(/reset)

Step 5. Click on Send and check the response.

PseudoTime