XInclude Attacks

In some applications, they receive client-submitted data, embed it on the server-side into an XML document, and then parse the document.

When client-submitted data is placed into a back-end SOAP request, it is then processed by the backend SOAP service

Such type of senarios, we cannot implement our XXE attack because :

We don't control the entire XML document and so we cannot define the DOCTYPE element
To bypass this client side verification, we can use XInclude

XInclude is a part of the XML specification that allows an XML document to be built from sub-documents.

We can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document

<d0p xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></d0p>

We'll need to reference the XInclude namespace and provide the path to the sensitive file

This attack is kinda confusing and tough to detect it, as we aren't interacting with the server side XML API or any sort of XML documents

We get to see, we only got two parameters productID and storeID, both are set to 1. The product parameter seems to be vulnerable as we interested in checking the stocks available for the product only right ?

When we insert the above payload, in the productID parameter it gives out the contents of the /etc/passwd file within an error, The payload tells :

Create a reference with the XInclude namespace => http://www.w3.org/2001/XInclude
And provide a path to the /etc/passwd

PreviousXXE via File upload NextBlind XXE Attacks

Last updated 1 year ago