0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • XML Tag injection
  • XML Injection - Single/Double Quotes
  • XML Injection - XSS with CDATA
  1. AppSec
  2. EWAPTX

XML injection

XML Tag injection

in this scenario, the attacker can alter to alter the XML document structure by injecting both XML data and XML tags

<?xml version="1.0"?>
<users>
    <user>
        <username>admin</username>
        <password>secrte</password>
        <group>Administrator</group>
    </user>
     <user>
        <username>hacktor</username>
        <password>secrtehacktor</password>
        <group>users</group>
    </user>
<users>

if Can Injection some XML Metacharacters within the document, then, if the application fails to contextually validate data

Metacharacters: ' " < > &

XML Injection - Single/Double Quotes

Sigle and Double quote are used to define an attribute vale in the tag:

<group id="id">admin</group>                <group id='id'>admin</group>

an id , Like the following , will make the XML incorrect

<group id="12"">admin</group> <group id='12''>admin</group>

XML Injection - XSS with CDATA

#Normal payload
<script>alert('h3ckt00r')</script>

#Using CDATA
<![CDATA[<]]>script<![CDATA[>]]>
alert('xss')
<![CDATA[<]]>/script<![CDATA[>]]

Mitigations for XML Injection:

  1. Proper Input Sanitization:

    • Always sanitize and validate user input before embedding it in XML.

    • Escape special characters like <, >, &, ', and " in user-provided data.

  2. Use XML Libraries:

    • Use secure XML libraries that automatically handle character encoding and prevent injection. Many libraries have built-in mechanisms to safely escape special characters.

    • Avoid the manual construction of XML strings.

  3. Disable External Entity Processing:

    • Disable XXE (External Entity Processing) if it’s not required, as it can lead to other severe vulnerabilities.

    In PHP, for example:

    libxml_disable_entity_loader(true);
  4. XML Schema Validation:

    • Use XML Schema Definitions (XSD) or Document Type Definitions (DTD) to enforce the structure of XML documents. This can help ensure that malicious data or unexpected elements are not accepted.

  5. Use CDATA for User Input:

    • If you must insert user input into XML elements, consider wrapping it in a <![CDATA[]]> section. This will prevent special characters from being interpreted as markup.

PreviousCSRFNextXML external entity (XXE) injection

Last updated 8 months ago