Dear Infosec people who have looked at XML and XXE before: I am trying to get an understanding of Blind XXE.
Many of the descriptions I find are lacking an important detail which makes the attack much less practical. Blind XXE works by building an URL which contains content of a file, allowing to exfiltrate content. However, in all my tests, that *only* works if the file contains no newlines, as those are not allowed in URLs. Am I missing something?
🧵
That means the attack is only relevant if a) you have a file with a secret, but no newlines&other characters breaking an URL, b) you know the path.
That seems rather unlikely in practice.
It may be that there are implementations that will ignore that and still open the URL. Or that will auto-encode newlines. Or that there's some trick I don't know. But that's all speculation. If you know of any *working* scenario where exfiltration with newlines works, I'd be interested to hear about it.
@hanno not unlikely, if you have an exploit to chain with it to dump something important to a file.
Have you read some of the recent #watchTowr posts ?
