From e347203ec41939f27768bec60eb954f5a0391fc0 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 4 Jul 2026 19:21:30 +0000 Subject: [PATCH] Add content from: HTB DevArea: Apache CXF XOP File Read, Hoverfly RCE, Flask C... --- .../pentesting-web/web-api-pentesting.md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md index 00497a50ff2..118f20cccf3 100644 --- a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md +++ b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md @@ -28,6 +28,51 @@ Pentesting APIs involves a structured approach to uncovering vulnerabilities. Th - **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing. - **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions. +### Apache CXF MTOM/XOP `xop:Include` as file-read / SSRF primitive + +If a SOAP service uses **Apache CXF** with **MTOM/XOP** enabled, test whether a parameter accepts an inline `xop:Include` element inside a **`multipart/related`** request whose root part is **`application/xop+xml`**. Apache's advisory for **CVE-2022-46364** states vulnerable versions parse the `href` of `XOP:Include` in MTOM requests and can perform SSRF-style fetches. + +Why this matters in practice: + +- Many testers try only plain `text/xml` SOAP bodies and miss that the vulnerable code path is reached only after switching to **MIME multipart + XOP**. +- If the application **reflects** the affected parameter in the SOAP response, the SSRF primitive can become **arbitrary local file read** by using `file://`. +- Even without reflection, `http://`/`https://` targets can still be useful for **blind SSRF** against internal services. + +Minimal structure to adapt to the target operation: + +```http +POST /service HTTP/1.1 +Content-Type: multipart/related; type="application/xop+xml"; start=""; boundary="MIME_boundary" + +--MIME_boundary +Content-Type: application/xop+xml; charset=UTF-8; type="text/xml" +Content-ID: + + + + + + + + +--MIME_boundary-- +``` + +Practical triage: + +1. Identify CXF version from the JAR, error pages, banners, or decompiled service artifacts. +2. Generate a valid SOAP request first (`?wsdl`, SoapUI, Burp WSDLer, traced client, decompiled stubs). +3. Convert the request to **`multipart/related`** and replace a parameter value with `xop:Include`. +4. Test `file:///etc/passwd` for reflection-based reads and `http://` for SSRF. + +After obtaining local file read, high-value targets often include: + +- **systemd units** in `/etc/systemd/system/` and `/lib/systemd/system/` for `ExecStart=`, `EnvironmentFile=`, usernames, bind addresses, and credentials passed on the command line +- **`/proc//cmdline`** to recover full launch arguments of interesting services +- **`/proc//environ`** to recover secrets injected as environment variables +- service-specific config, env, or wrapper scripts referenced by the unit file + ### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC, `protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by `protectedProcedure`. @@ -101,5 +146,8 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0 - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire) - [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study) +- [Apache CXF advisory for CVE-2022-46364](https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt) +- [Apache CXF security advisories](https://cxf.apache.org/security-advisories.html) +- [0xdf - HTB DevArea](https://0xdf.gitlab.io/2026/07/04/htb-devarea.html) {{#include ../../banners/hacktricks-training.md}}