Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

XML injection error in JSON requests

Leon | Last updated: Jun 13, 2022 02:29PM UTC

Hello! We are doing burp scans on our application to tighten up security. And the scanner says we have XML injection vulnerability because it inserted XML into JSON and the back-end threw an exception. The errors are format exceptions because it inserted it into number fields. Is this maybe a false positive vunrability? I'm confused as to what needs to be done if anything needs to be done? Kind regards

Hannah, PortSwigger Agent | Last updated: Jun 14, 2022 09:15AM UTC

Hi If the Scanner finds a vulnerability, we would recommend manually replicating it to verify. If your back-end is throwing an exception, is there any information disclosed to the user that they may be able to use to find another attack surface? You can check out further information here: - https://portswigger.net/kb/issues/00100700_xml-injection - https://portswigger.net/web-security/xxe - https://portswigger.net/web-security/information-disclosure

Leon | Last updated: Jun 14, 2022 11:24AM UTC

Hello! No the errors are just formatting errors. No user information is disclosed. The errors can be easily replicated. Because it put some tags into integer and long fields and enums so it could not be serialized. Kind Regards,

Hannah, PortSwigger Agent | Last updated: Jun 15, 2022 12:37PM UTC

Hi Unfortunately, interpreting scan results is outside of the scope of our support. If there's anything else that we can help with, then please let us know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.