This is also known as XXE attacks so basically this abuses systems that parse xxl input and then the attacker uses that to do malicious stuff .This abuses System entity and get malicious ,attacks include denial of service,local file disclosure,remote code execution and more.
In xml we have elements and in this case gift is gonna be our root element and everything inside it is child elements
but what if we wanna do a lot of gifts but we dont wanna
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE gift [
<!ENTITY from "Aniket&Boi">
]>
<gift>
<To>Frank</To>
<From>&from;</From>
<Item>Pokemon Cards</Item>
</gift>
ENTITY basically lets us make variables and put them in our XML code
In XML and it only accepts alpha numeric numbers but we can only use special characters through ENTITY.
And now to exloit this we can just google XXE payloads .
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE Injection
In xml we can something called SYSTEM it lets us pull data from the sytsem and lets us pull stuff like files etc.
So we can use an exploit like this to exploit and get something like etc/passwd file from the system.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
How to execute this though so lets first make a new account and so now when we are inside the account this is called authenticated testing so we are a middle user or normal user.So now we should check what all we have access to .Normally when we do web app testing we are gonna be given two roles admin and non authenticated access. Now lets just explore what we have access to .Click on everything and anything .You can scan the websiter if you Burp Pro.Any time you see a file upload feature its great because they can be devastating if not handeled properly.We can upload XML files, malicious code or something like that.
So now if we have a not proper file upload system we can trry intercepting our request with burp and then upload our xml exploit file and see if we get the passwords in the response or not in the Repeater tab.
How do we defend against these ? We have to disbale these DTDs which parse our xml for us.If we can bypass any whitelisted file extensions they have we can submit this as a finding and report to the website.