XML Injection

AJAX applications use XML to exchange information with the server.

This XML can be easily intercepted and altered by a malicious attacker.

Solution

  • Launch WebScarab to intercept requests

  • Check all of the boxes on WebGoat-Miles for items

  • Click submit

  • Intercept the request with WebScarab

  • Insert additional requests for more items that you're not supposed to be able to request

Alternatively, you can intercept the HTTP response after you enter in your ID and modify the XML to add

<reward>WebGoat Core Duo Laptop 2000 Pts</reward>

<reward>WebGoat Hawaii Cruise 3000 Pts</reward>

This will add this options client side. You can then check those boxes and it will send that request to the server.

PreviousAJAX - DOM InjectionNextJSON Injection

Last updated