XXE – an end-to-end example

Let's set up our XXE lab so that we can see the vulnerability in action. After downloading Vagrant, VirtualBox, and cloning the git repository from https://github.com/jbarone/xxelab, we can start the application by navigating into the xxelab directory and running vagrant up. After downloading the Ubuntu images and other dependencies, your app should be up and running on http://192.168.33.10/:

Let's enter some test values into our submission form, making sure that our Burp Suite proxy has its Intercept feature turned on:

After trying to submit our form, we can head over to Burp to see what our intercepted raw HTTP ...

Get Hands-On Bug Hunting for Penetration Testers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.