Results 1 to 3 of 3

Thread: Reporting vulnerabilities Share/Save - My123World.Com!

  1. #1

    Reporting vulnerabilities

    Respected members,

    Recently I came across a situation where I found an issue but I cannot exploit it. I am in dilemma whether I should report it or not.

    The issue is XEE: XML Entity Expansion. XML entities have been expanding as part of an error message. Content of error message is truncated after 4 entities. So I can expand up to only 4 entities.

    Now my questions are:

    1) Is this really a qualified XEE case?
    2) Would you report it or not? If you decide to report, would you name it as "Potential XEE" or just "XEE"?
    3) How should we report in cases of asynchronous vulnerabilities like Blind Second Order SQL Injection, Blind XSS etc?

    Please share your valuable thoughts.

    Regards,
    Nagpradis

  2. #2
    The issue is XEE: XML Entity Expansion. XML entities have been expanding as part of an error message. Content of error message is truncated after 4 entities. So I can expand up to only 4 entities.
    If I'm not wrong your talking about XXE. And could you please share output to get more clear picture. You can send me PM for that.

    Now my questions are:

    1) Is this really a qualified XEE case?
    You able to execute commands using XML External Entity (XXE) ? How you validating this is an XXE ?

    2) Would you report it or not? If you decide to report, would you name it as "Potential XEE" or just "XEE"?
    I would like to suggest not to report before you have something potential working exploit or at-least one proof of concept.

    for the reference you can look at https://blog.bugcrowd.com/advice-from-a-researcher-xxe/

    3) How should we report in cases of asynchronous vulnerabilities like Blind Second Order SQL Injection, Blind XSS etc?
    Simple

    Amol already posted about SQL injection testing here http://garage4hackers.com/showthread.php?t=1990

    I hope this would help you.
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  3. #3
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    As per XEE description (http://projects.webappsec.org/w/page...ty%20Expansion), this vulnerability results in the DoS which consumes all server resources. From your response it doesn't look like you are able to perform DoS as it's only expanding till 4 entities. Here are my responses for your query:
    1) Is this really a qualified XEE case?
    -- IMO the vulnerability is not valid unless the impact is proven. In this case, it's not.
    2) Would you report it or not? If you decide to report, would you name it as "Potential XEE" or just "XEE"?
    -- It totally depends where you found this. If this app is under a professional test or internal assessment, you might want to report it as potential XEE as in future it might turn into real DoS if anything changed. If this is under bug bounty, you may want to report is as above not expecting any reward or HoF as this is not actually a bug ATM
    3) How should we report in cases of asynchronous vulnerabilities like Blind Second Order SQL Injection, Blind XSS etc?
    -- I didn't get this question and I don't want to answer it based on assumptions. If you could provide more info on this, it'll be great.

    AMol NAik

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •