Exploiting XSLT Injection

Understanding how to exploit XSLT injection vulnerabilities is crucial for identifying security weaknesses in web applications that utilize XSLT for data transformation.

Identifying XSLT Injection

Consider a sample web application that displays information about Academy modules. At the bottom of the page, users can input a username, which is reflected in the headline. If the application processes this input without proper sanitization before XSLT processing, it may be vulnerable to XSLT injection.

To test for this vulnerability, you can attempt to inject a broken XML tag, such as <, into the username field. If the application responds with a server error, it may indicate a potential security issue, although this alone does not confirm an XSLT injection vulnerability.

Information Disclosure

To further investigate, you can inject specific XSLT elements to extract information about the XSLT processor in use. For example, using the following code can reveal details about the processor:

Version: <xsl:value-of select="system-property('xsl:version')" />
<br/>
Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
<br/>
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
<br/>
Product Name: <xsl:value-of select="system-property('xsl:product-name')" />
<br/>
Product Version: <xsl:value-of select="system-property('xsl:product-version')" />

If the application processes these elements and returns the corresponding information, it confirms the presence of an XSLT injection vulnerability. For instance, you might find that the application uses the libxslt library and supports XSLT version 1.0.

Local File Inclusion (LFI)

Exploiting XSLT injection can also lead to Local File Inclusion (LFI). Depending on the XSLT version and library configuration, you can attempt to read local files. For example, if the application supports PHP functions, you can use:

<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

This command can display the contents of the /etc/passwd file if the configuration allows it.

Remote Code Execution (RCE)

If the XSLT processor supports PHP functions, you can escalate the attack to Remote Code Execution (RCE) by executing system commands. For instance, using the following code can execute a command on the server:

<xsl:value-of select="php:function('system','id')" />

This capability highlights the critical need for developers to implement proper input validation and sanitization to protect against XSLT injection vulnerabilities, which can lead to severe security breaches.