Hi, welcome back. So in very simple terms, secure programming is about keeping secrets. Secrets no one but the authorized person should be able to access. In this lesson, we're going to purposely create a secret that no one should be able to read. Then do our best to see if we can get to use our injection attacks to reveal that secret and look at it. Looking back at Sandra's course, this is where we employ our threat modeling skills. Software security, secure programming or any term you choose is about coding defensively. Basically knowing the pitfalls and then going to find your mistakes. We all make them and that's okay. So let's find some mistakes. In the previous video, I demonstrated the process I use dealing with an XML injection to list through director if you have our victim server. In this lesson, I'm going to show you how we can modify what's being posted and define an entity, for our vulnerable application to process. Rest frameworks, APIs in general, due to their decoupled nature give the impression that injection attacks are not possible or difficult. This is a very dangerous assumption. After this lesson, you'll be able to better understand injection attacks, and find ways to inject RESTful APIs. Let's take a look at what XML injection and looks like with a RESTful API. Hopefully, in the last video, you got a sense about how you can go about attacking this module and you're able to find out how to get your command to execute on this to get your external XXE to work on this. Now, if you couldn't figure it out that's all right. We can take some hints from the OWASP page. It looks like you can define an entity with the system modifier, and define an XXE. So let's work through that together. So I'm going to do another like a test3 submission through this, so that we can put that through the repeater. In our Burp, I go to my proxy. There is my post, test3, perfect. I'm going to send that to my repeater. There's our test3. The main thing here I just wanted to make sure my session ID didn't change since the last video. I'm going to copy this bit of code that we wrote together. Actually, we're just going to modify it. So this is what went through. This is what OWASP uses as an example. So let's see if this works. I should be able to simply to define my document type, and define my own entity and my own elements. So let's put this in here and see what breaks. I'm just going to go and look at the files in my current working directory. I'm going to reference the XXE. So let's see what we get from this. If I go in my repeater, highlight this body of text, and let's see if that's happy. So it gave us a false lesson completed, because we're probably not doing what it's asking for. But it should have listed the files in my current directory and it did. Now remember this is a current directory where the WebGoat is actually running in my IDE in this case. Let's see there's a docker compose file, docker YAML file, et cetera. Okay, cool. Let's see what else we can do with it. What if we said we want to look at dot dot slash dot dot slash. Let's just repeat that a couple times because I don't know how far this is. I'm going to replace all of this text and send that through. You can see it's a less than completed true probably because it was asking us to list the root directory. So let's do a list on that and see what's there. So this looks very interesting. So this looks like to be my max volume. There's my applications folder, there's bin, there's core. So since I'm running this on my IDE, it's actually exposing files on my Mac. So I'm going to open up a command prompt. I'll change directories to my desktop. Let's make that a little bit bigger. I'm going to example.txt. So let's put something in the example.txt. So let's say I had some confidential files sitting in my home folder on my desktop. Now, realistically, an attacker might not know that this is the path to my desktop, but we can extract that path away pretty easily. So we know that, at some point, it hit the root directory. If we go in here we can see in the root directory. There's a users folder. So on my next attack, I'm just going to append the users there and hit Go and if I refresh this page, we'll see all the users that are there. So there's my user, there is some random user, there is shared folder for some application, and then there's a UC Davis folder that I had made. So I can then go to the joubin folder. If I refresh the page again, we can see in the joubin folder there's a bunch of files. But what I'm interested in is in their desktops. So we can work our way through desktop and see all the files that are on desktop. We can see there's a hidden folder, there's a localized, there's the example.txt. So what happens if I simply reference example.txt. If I refresh it, this is a secret that no one should be able to read. So I was able to extract away the contents of that file, by simply working my way through this. So as you can see this could be pretty devastating if this is on a server because you have private keys, you have encryption keys, you have username, password, database servers potentially, configuration files, and there's a lot of things you can do with XXE and it is pretty dangerous. Now there's a misconception that because you're using a REST framework, that XXE is not possible and that's not true. Especially in our world today where you have API gateways and you have breakout systems in micro-service. You're going to see more and more REST services that are exposed, and they accept data coming from us. So the idea behind this is, you're not able to simply attack this because the data that's being sent is different. So I'm going to call this REST tests, and I'm going to submit. If we go back to our proxy, looking at the last post data, you can see that it was submitted with a content type of JSON. So it's a JSON body of text. The question really becomes, how do you modify this data to become similar to the previous one? So I'm going to pause the video here, and you just can give it a try. I'll see you in the next video.