Cross-Site-Scripting - Reflected (AJAX/XML)

Published: 21 May 2019 at 19:55 UTC | Updated: 06 June 2021 at 10:45 UTC
Published: 21 May 2019 at 19:55 UTC Updated: 06 June 2021 at 10:45 UTC

This is the demonstration of Cross-Site Scripting attack in XML response on AJAX webpage and for this demo, I'll be using bWAPP which is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:-

Now please choose Cross-site-Scripting - Reflected (AJAX/XML ) from the drop-down menu and click Hack.

As we got the same user interface again and it's asking the user to enter the movie name and we will follow the same steps again like on our last tutorial (Cross-site-Scripting - Reflected (AJAX/JSON)). So I'll enter the movie name "Skyfall" and you can see above the movie name reflecting on the webpage so we can inject our payload.

As per the above screenshot, you can see when I try to print the movie name in bold character using angular parentheses it failed the result came "undefined" because in XML response if you try to enter open and closed angular parentheses then the application will build a new node and the XML document will be invalid. 

So in order to inject our payload, we need to do HTML encoding, so let's encode this HTML tag.

Encode HTML tag

Html Encode/Decode but you can also use other sites. As you can see here it's encoded and let's copy this and paste into our input box.

And it's working now we are able to print our movie name in bold character.

How it's working?

  1. XML Ampersand: "&" symbol is used to represent entities and all the entities are mapped to Unicode charset.
  2. And the format of each entity symbol is "&symbol;"
  3. And if in the current design "&" symbol is not encoded with "&" then you could be used to test XML injection.
  4. So in order to prevent this attack, the proper encoding of special characters are highly required.

<img src=x onerror=alert('Skyfall')>

As you can see after encoding we are successfully able to inject XSS payload in the XML response and as I have already mentioned preventing this attack if you do proper encoding of special characters then we can prevent this attack.

For more information please follow these below links

  1. Testing for AJAX Vulnerabilities (OWASP-AJ-001)
  2. XSS (Cross Site Scripting) Prevention Cheat Sheet
  3. OWASP/Cheat Sheet Series

Thank you for reading this post and Happy Hacking :)