1

I wonder, is possible XXE attack in this case?

The data of request is starting with:

<InteractionMessage><Header><SenderApplication>VIP3.0</SenderApplication><ReceiverApplication/><TransactionID>1651397670193</TransactionID><Timestamp>2022-05-01T02:34:30.193-07:00</Timestamp></Header><Body><********><Attachments xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" qid="String" isApplicable="true" location="preference" source="preference"> <*** id="2"> <Attachment id="1" purpose="Rotation"> <Type>Optimized Rotation</Type> <Bevel xsi:nil="true"/> <Orientation xsi:nil="true"/> <Location>CenterCenter</Location> <Surface>****</Surface> <Size units="mm">autosize</Size> <Status>NotChanged</Status> </Attachment>

And when I change something like this

 <**** id="3"><PrecisionCut id="1"><CutToothSurface>****</CutToothSurface><CutType><Button><Button>true</Button><CutButtonType>Round</CutButtonType></Button><Slit><Slit>false</Slit><CutSlitOrientation>ASDASD</CutSlitOrientation></Slit></CutType><CutStatus>NotChanged</CutStatus></PrecisionCut>

This XML data is reflecting in the response

 <***** id="3"><PrecisionCut id="1"><CutToothSurface>*****</CutToothSurface><CutType><Button><Button>true</Button><CutButtonType>Round</CutButtonType></Button><Slit><Slit>false</Slit><CutSlitOrientation>ASDASD</CutSlitOrientation></Slit></CutType><CutStatus>NotChanged</CutStatus></PrecisionCut></Tooth>

As you can see ASDASD is reflecting on the response (it's same for other params too). I tried classical XXE payloads but data returned null

Improve this question
0

2 Answers 2

Reset to default
1

XXE stands for XML external entity. Your example has nothing to do with external entities, you are just reflecting XML itself. This could induce other vulnerabilities, but is not related to XXE.

This page gives a proper explanation of what XXE is and how it could be abused.

Improve this answer
1

XXE (XML eXternal Entity) attacks require that you define, and reference, an external value from a file or other URI. This is most commonly done using a custom entity (such as &xxe;) To define custom entities, you need an XML document that contains a Document Type Declaration (often abbreviated "DTD"). The DTD comes after the XML version declaration, but before the actual document, and defines the format of the document starting with the root element; for your document above (assuming it's complete; I notice it's missing some closing tags) the DTD starts like this: <!DOCTYPE InteractionMessage followed either by an inline DTD between square brackets, or an external declaration consisting of the word SYSTEM or PUBLIC followed by [the name, for PUBLIC, and] the path to the declaration, as a quoted relative or absolute URI.

XXE attacks usually use an inline DTD which declares an entity, and declares an external reference as the expansion of that entity. The document itself then includes an instance of that custom entity, which the server expands (fetching the URI in the process) and embeds in the document, and hopefully reflects back in the response. If adding an inline DTD is not viable for length reasons, the DTD could itself be an external reference to a path on your own server (requires the target server be capable of outbound requests).

The fact that your document is getting reflected in the response is useful, but not sufficient, for it to be vulnerable to XXE. Most modern XML libraries disable DTDs by default now, as the easiest way to prevent XXE (and also "billion laughs" XML recursive entity) attacks. Even if DTD processing is enabled, the XML library might reject external references in it. Finally, the target system needs to be processing the user-supplied content as a full XML document (not just a fragment or node) or else it won't parse the DTD even if DTD parsing is enabled in general (remember that the DTD needs to come before the document body).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.