picoCTF Solutions
picoCTF 2023Web ExploitationMedium

SOAP

Published: July 19, 2023Updated: December 9, 2025

Description

The SOAP stock-check endpoint fails to sanitize XML entities. Inject an external entity to have the backend disclose /etc/passwd.

Setup

Open the provided web portal in Burp Suite’s built-in browser and intercept a request to any “Details” button.

Modify the XML payload to include a malicious DOCTYPE that defines an external entity pointing to /etc/passwd.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId></stockCheck>

Solution

  1. Step 1Capture the POST body
    With Burp intercept on, click a Details button to pause the request. The body already contains stockCheck XML you can modify.
  2. Step 2Inject the entity
    Insert the DOCTYPE snippet defining &xxe;, then replace the productId value with &xxe;. Forward the request to have the server echo /etc/passwd, including the flag.

Flag

picoCTF{XML_3xtern@l_3nt1t1ty_4db...}

Any file path works, but /etc/passwd proves the XXE and includes the picoCTF token in the response.