Foldmark
Foldmark is a small-business e-signing service. The product team just shipped cross-vendor envelope imports so customers can bring signed documents over from competitors — and the preview page renders whatever the import parser hands it.
The Scenario
Foldmark serves about five thousand small businesses and has held SOC 2 Type II since 2024. Last quarter the sales team kept losing migration deals to "we can't bring our history with us," so the product team shipped a cross-vendor envelope importer on a tight deadline — drop in a file from a competitor and Foldmark renders a preview with the signer, document title, organization and timestamp lifted straight from the document.
Challenge Intel
Synopsis
In-band XXE via lxml's etree.fromstring with resolve_entities=True on the envelope import endpoint; the resolved entity is reflected back through the preview page's Jinja {{ value }} renderer.
What It Is
Foldmark exposes two superficially similar surfaces. POST /envelopes/new is the obvious target — it builds an envelope server-side from form fields by templated XML composition and never parses user-supplied XML, so it isn't injectable. POST /envelopes/import accepts an uploaded .xml file representing a SAML-like signed envelope from another e-signing provider and parses it with etree.XMLParser(resolve_entities=True, no_network=False, dtd_validation=False, load_dtd=True). After parsing, the server redirects to /preview/<id> where the parsed Signer, DocumentTitle, Timestamp, and Organization fields are rendered through Jinja's escape-by-default {{ value }}. Because entity expansion happens inside the parser before Jinja ever sees the string, a DOCTYPE with <!ENTITY xxe SYSTEM 'file:///flag.txt'> bound to <Signer> produces a preview page whose Signer field is the contents of /flag.txt.
Who It's For
Players comfortable with XML basics who want to drill the in-band XXE pattern and learn to look past the obvious form for the import path.
Skills You'll Practice
- Identifying XML parser misconfiguration in Python libraries (lxml)
- Crafting a DOCTYPE with an external general entity for file disclosure
- Reading the application to find the real parsing surface rather than the obvious one
- Reasoning about where escaping happens in a templating pipeline
What You'll Gain
- A reusable in-band XXE exploit template against lxml
- Practical experience with the two-surface principle in vulnerability discovery
- Confidence parsing XML upload features for misconfigured entity resolution