0x12 - XML Formatted XSS Payloads

Did you know that injecting XSS payloads in an XML form tend to generate invalid format if not done properly?

Data submitted as part of XML forms is encapsulated in XML tags

These are defined using tags inside the less-than (<) and greater-than (>) characters

Similarly, many of the XSS payloads use the < and > characters

Without escaping your XSS payloads, the XML format will be invalid and the server will reject your request before you get to find any vulnerability

To avoid this, you must make sure to set your intruder injection point inside the <![𝐂𝐃𝐀𝐓𝐀[]]> tag


How to do it

  1. Send request to intruder

  2. Pick the injection place (for example the <City>Boston</City> tag in image)

  3. Surround the value with the <![CDATA[]]> tag (i.e: <![CDATA[Boston]]>)

  4. Now set the Intruder injection point <City><![CDATA[§INJECTION_POINT§]]></City>

    𝐖𝐫𝐨𝐧𝐠: <City>§INJECTION_POINT§</City>
    𝐂𝐨𝐫𝐫𝐞𝐜𝐭:  <City><![CDATA[§INJECTION_POINT§]]></City>