Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XXE Attacks

XXE via File upload

PreviousXXE to SSRFNextXInclude Attacks

Last updated 2 years ago

Some application allow users to upload files which are processed server side Some common file formats use XML or contain XML subcomponents.

Examples of XML based formats are office document formats like .docx and image formats like .svg.

  • If an application allows users to upload images and process or validate these on the server after they are uploaded

  • If the application expects to receive a format like .png or .jpeg, then the image processing lib is likely to accept .svg too

Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.

First check, the client/server validation by uploading a normal .png or .jpeg file

Usually returns an error saying, the avatar is too large.

Now intercept that request and try changing the png fromat to an XML svg format

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY [xxe](https://portswigger.net/web-security/xxe) SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

The above payload returns us the hostname, using the XInclude namespace reference.

The application verifies the above payload as a SVG image and then gives us a 200

XXE via Modified Content-Type

Most of the POST requests have a default Content-Type that is generated by HTML forms, such as

  • application/x-www-form-urlencoded

So here an Attacker can tamper, the Content-Type to an XML format.

POST /action HTTP/1.0 
Content-Type: text/xml 
Content-Length: 52 
<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>

If the application allows the content-type which is configured by the server's backend MIME type then an attacker can :

  • Find the hidden XXE attack surface simply by reformatting requests to use the XML format