Hello, I have a project at school. I need to create websites that have various vulnerabilities. I created an API using node.js and express.js. I have a login system where the data is stored and queried in a JSON file. However, I want to create an XXE vulnerability. For this I sent an XML file to index.js (node.js) with Javascript. I converted the XML file to JSON with xml2js. But I would change the settings so that an XXE vulnerability is possible.
Configuration:
var parser = new xml2js.Parser({
dtdvalid: false,
xmldecl: false,
xmldecl: { doctype: true },
doctype: true,
explicitArray: true,
normalize: true,
charkey: '&',
xmlCharKey: '&'
});
app.post:
app.post('/projekt/XXE/api/login/', (req, res) => {
let body = "";
req.on('data', chunk => {
body += chunk.toString();
let bodySt = body.substring(0, 1).replace(/"/g, "");
let bodyLt = body.substring(body.length - 1).replace(/"/g, "");
body = bodySt + body.substring(1, body.length - 1) + bodyLt;
console.log(body);
});
req.on('end', () => {
parser.parseString(body, (err, result) => {
if(err) {
res.status(400).send('Invalid XML' + body);
return;
}
const jsonData = result;
const username = jsonData.root.username[0];
const password = jsonData.root.password[0];
fs.readFile('users.json', (err, data) => {
if(err) {
res.status(500).send('Error reading users file');
return;
}
const users = JSON.parse(data);
const user = users.find(user => user.username === username);
if(!user) {
res.status(404).send(`User ${username} not found`);
return;
}
bcrypt.compare(password, user.password, (err, same) => {
if(same) {
res.status(200).send('Login successful');
return;
} else {
res.status(401).send('Invalid password');
return;
}
});
});
});
});
});
However, when I create a payload and thus use the & character, I only get the message ‘Invalid XML’.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "file:///etc/passwd">
]>
<root><username>
&company;
</username><password>1123</password></root>
Thanks for the help in advance