Findings vulnerabilities like XXE in bug bounty programs are awesome. I have found one XXE bug on private bug bounty program by converting the JSON request to XML request. It was very awesome so though to share with you all.
After fuzzing with the request and responses, I was encountered with the API request which was sending the request in form of JSON as shown below:-
For a valid request, the response was 204 No-Content
I am much comfortable with BurpSuite and downloaded the extension named “Content Type Converter“. This extension helps you to modify the JSON request to XML, XML request to JSON and normal form request to JSON in order to play with request and responses. (Even there are lots of websites out there for this activity but using extension is much effective and comfortable).
So, I have modified the JSON request to XML and checked the response as mentioned below:-
Response was 204 No Content which was unexpected for me. Same response code for JSON and XML request. (I was very happy at that time)
Obviously, my next step was to add XXE payload and check the response on my attacker machine (I have hosted Kali on Amazon).
Request with XXE payload
Response on my Attacker machine:
Now, we can fetch internal server files with HTTP or FTP protocol.
Stay tuned for further blog posts.