Help Gaining XXE in Spring Boot Mobile Application API

Hi Researchers,

The Motive of this post is to ask a question on how to go-ahead in a situation like this and also i would like to share few tips/tricks i used to dig few juicy information.

Was testing an android application, the API has HMAC signature validation which i couldn’t bypass yet, the API is built using the Spring Architecture in Java, although its a JSON Rest API,when i change the content-type to application/xml with invalid chars, i get 400 bad request with Xml Parsing errors.

Sample Response

{"timestamp":1498844084320,"status":400,"error":"Bad Request","exception":"org.springframework.http.converter.HttpMessageNotReadableException","message":"Could not unmarshal to [class com.xxxx.xxxxx.xxxxxxx]: null; nested exception is javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.]","path":"/ixxxx/xxxx/1.0"}

Ive tried out the usual XXE payloads, yet to try OOB Blind ones. on seeing the presence of SAXParse exception i strongly believe its an xml parser, only thing i have to check is if its configured with external entity interaction. But the problem i am facing here is if i give the json body as XML the server isnt able to recognize the hmac param and throws signature validation failed errors, because the hmac is verified even before the input is sent into the xml parser i guess.

I would like to hear from you guys where am i going wrong and also if anyone has ever encountered spring application xxe challenges do let me know.

Finally for new researchers in this area, when pentesting mobile application do not completely look only into the API requests itself. I’ve opened the API domain in my browser found spring boot admin ui, read through the spring docs and got to know spring provides several endpoints enabled by default for developers,i’ve picked few endpoints and tried those in my target, was amazed to see information like,server access logs, trace logs for last 100 requests with users public and private ips, environment variables etc.

Reference : Spring Boot Endpoints

Hi @siddhu,

sorry, it’s not clear for me what you are trying to achieve and in what context. If you are still struggling with this, it would be helpful for me, and maybe more people, to describe what you are trying to achieve and what steps are you following to achieve it.

Best!

@stefanofindsbugs , I am testing an API, which has HMAC Signature Validation, i tried to change the content -type from application/json to xml and i see xml parsing errors in the response, seeing those i guess that there is an xml parser present at backend, so i usually tried XXE payloads but those wont work here because the parser checks for Hmac and the validation fails.So wanted help to know if theres any way to try for xxe without bypassing the HMAC Validation

okay, thanks for the clarification.
Reading the example response you shared in the first message, it seems to me that the problem is not with the signature verification but with the XML body you are sending. I wouldn’t try XXE payloads until I get a clean response from the server telling me that the XML request I sent is okay.