Created
September 5, 2019 14:47
-
-
Save trycf/a0cf69d4fc623ca1aa77454fe19604a8 to your computer and use it in GitHub Desktop.
TryCF Gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<cfsavecontent variable="xml"><?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY > | |
<!ENTITY xxe SYSTEM "http://httpbin.org/base64/YmluZ28h" >]> | |
<foo>&xxe;</foo> | |
</cfsavecontent> | |
<cfscript> | |
try { | |
results = xmlSearch(xml, "/foo"); | |
if (results[1].XmlText contains "bingo!") { | |
writeOutput("<h3>Vulnerable to XXE</h3>"); | |
writeOutput("<p>The parsed xml element foo contained bingo!</p>"); | |
} else { | |
writeOutput("<h3>Potentially not Vulnerable to XXE</h3>"); | |
writeOutput("<p>The parsed xml element foo did not contain bingo!</p>"); | |
} | |
writeDump(results); | |
} catch (any e){ | |
writeOutput("<h3>Potentially not Vulnerable to XXE</h3>"); | |
writeOutput("<p>Threw an exception</p>"); | |
writeDump(e); | |
} | |
</cfscript> | |
<!--- | |
Example adapted from: https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_%28XXE%29 | |
The URL http://httpbin.org/base64/anything will take anything and attempt to base64 decode it and return the result. | |
In this example the &xxe; entity points to the URL: http://httpbin.org/base64/YmluZ28h | |
If you base64 decode YmluZ28h you will get bingo! | |
So if the parsed XML contains bingo! it is vulnerable to XML external entity injection. | |
Note that there are other ways this can work besides a URL, it can also be a file system path, etc. | |
---> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment