XML Injection

Vulnerability Overview

The application allows users to import their profile data via XML. The backend parser (xml2js) converts the XML structure into a JavaScript object and uses it to update the user's document in the database.

However, the update logic blindly trusts the fields provided in the XML. This is a Mass Assignment vulnerability. Even though the "role" or "admin" status is not normally editable by users, an attacker can inject these fields into the XML payload.

Exploit Steps

Step 1: Access the Profile XML Area

1. Log in to the application.
2. Navigate to the Home area.
3. Click on the link "Profile XML (Export/Import)".

Step 2: Export Your Profile

1. In the "Export Profile" section, enter a bio (optional) and click Export XML.
2. You will see an XML structure similar to this:

   <userProfile>
     <username>your_username</username>
     <role>user</role>
     <bio>your_bio</bio>
   </userProfile>

   Note: The <role> tag here is for display purposes, but the backend also checks for an <admin> boolean field.

Step 3: Construct the Malicious Payload

1. Copy the exported XML.

2. Modify it to include the hidden <admin> field. Set it to true.

3. You can also modify your bio to confirm the change.

   Malicious Payload:

   <userProfile>
     <username>your_username</username>
     <admin>true</admin>
     <bio>I am now Admin!</bio>
   </userProfile>

   Note: Ensure you replace your_username with your actual username (e.g., vulntest or whatever you logged in as).

Step 4: Import the Malicious XML

1. Scroll down to the "Import Profile (XML)" section.
2. Paste your malicious payload into the text area.
3. Click Import XML.
4. You should see a success message indicating the profile was updated. The response data might show "admin": true.

Step 5: Verify Privilege Escalation

1. Go back to the Home area.
2. Check the "Your Profile" card in the left sidebar.
3. The Role should now display Admin.