Hey there. Welcome back. In the previous video, we talked about how XML works, how XML entities work, and how we can reference various things outside of an XML object. The idea behind this lesson and the rest of this module is exploiting some of that and talking about how we can go about finding what we need to exploit. Essentially, the process of discovering vulnerabilities. Before viewing this lesson, I hope you've taken some time to explore your assigned reading of the OWASP XXE Prevention Cheat Sheet. It's a great resource and you can use it to fill any gaps you have in your prior knowledge. We're just refresh to focus on this topic. After this lesson, you'll be able to describe the process I demonstrate of an XML injection attack to list the root directory of a server. Thinking back to our threat modeling work, this is the same thing as compromising the confidentiality of some victim server. Before we start, you should know that we're going to be running everything through fireworks for the remainder of this module, or at least I am, just so that we can intercept the data in my proxy. If you forgot how to set that up, just reference the video where we talk about setting up the proxy and how to configure it so that not all of your traffic is going through the proxy. I'm using Firefox because it allows me to specifically set the proxy for my browser and not my entire system. Let's get started. Let's play around with it and see what we get. I'm going to bring up my Burp Proxy. I'm going to clear the history just because it's been running for a while. There's going to be a lot of noise in here. I wouldn't really worry about it. We'll know when we have the data that we need, because anything that we do is a post. So we'll see it come up as a post, and we can modify our post. Another thing to make your life a little bit easier, by default, Burp orders things from top to bottom, meaning oldest requests on top and newest requests on the bottom. I actually flip that just because I can then always keep it up top, and I know my newest requests are up top. So we're going to just play around with this. The idea behind this is they want us to add a comment and do an XXE injection trying to list their root directory on this file system. So going back to how XML works, that seems pretty interesting to do. Obviously, it would be very useful to know what files I have on there fastest stem and maybe even open it and reference some of those items. So let's go ahead and give it a test comment to see what it looks like. So I just comment the tests. If I go to my Burp, we see a post. If we look in there, it looks like we're just commenting an XML object here. So I'm going to copy that out and put it in our trusted IDE. I'm going to re-indent this code. Let me indent it properly. Now it doesn't need to be indented, but it makes it easier for us to read it. Perfect. So this is essentially what it's posting. Now, if I copy this, the same thing that we posted before, I've just cleaned it up. I'm going to copy that, and our request with our posts which is highlighted from before I right-click on it and send it to the repeater. If you go to the repeater, you'll see essentially what was commented before. So I'm going to replace this with what I have here. Now we already come into test. So I'm going to change this to test2, copy this, highlight everything here, erase it, paste my new post and hit Go. The expectation is when I come back here, if I refresh this page I want to see a test2 in here as well. So I'm going to refresh that, and sure enough there's a test2 in here. So we know that we can modify what's being posted here. All I had to do was hit Go on my repeater. So now we can modify this. The idea is we want to reference something in their file system. In a previous video when we were talking about this, we talked about how entities can be referenced by simply referencing to something like this. So you define your entity and you can reference it. The question is how can you define an entity on their file system? Now in the next video, we're going to show you how to do that. But to go through our thought processes for this, open up Chrome, open up a new tab, and maybe just search XXE Cheat Sheet. OWASP comes up as our cheat sheet. We can scroll through and see if we can find anything that's interesting. Shows the code that's vulnerable and how the various code segments work. There's also an explanation of XXE processing and what goes wrong, and there may be some hints in here on how to go about doing this. So good and give it a try, and we'll come back on the next video and show you how to do this.