O'Reilly logo

Hands-On Bug Hunting for Penetration Testers by Joseph Marshall

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

XXE – an end-to-end example

Let's set up our XXE lab so that we can see the vulnerability in action. After downloading Vagrant, VirtualBox, and cloning the git repository from https://github.com/jbarone/xxelab, we can start the application by navigating into the xxelab directory and running vagrant up. After downloading the Ubuntu images and other dependencies, your app should be up and running on http://192.168.33.10/:

Let's enter some test values into our submission form, making sure that our Burp Suite proxy has its Intercept feature turned on:

After trying to submit our form, we can head over to Burp to see what our intercepted raw HTTP ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required