Is it valid xxe or false postive?

hi all
i want to ask question about xml external exapnsion [xxe bomb] which lead to ddos attack .
when i upolded xml file i face xml error tell me xml parser error so i tell my self there is chance for xxe
so i uploded xml file again with this paylod

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

and when i request the file it echo the word lol unlimited times after i reorted it it was false postive can someone explain why ?
thanks in adance


According to the Standard Disclosure Terms (which apply to all BugCrowd programs and bounties), the Excluded Submission Types section shows that the following is not allowed:

Network level Denial of Service (DoS/DDoS) vulnerabilities.

The XXE bomb method that you mention would likely cause an issue with the application, but might also somehow be interpreted as being in this category. In some specific circumstances, this may trigger other behavior, but I’d imagine this would typically trigger a denial of service issue, as you stated.

Additionally, this type of attack may fail to meet another requirement for all programs and bounties:

Actions which affect the integrity or availability of program targets
are prohibited and strictly enforced. If you notice performance
degradation on the target systems, you must immediately suspend all use
of automated tools.

Because of this, your submission may have been marked as invalid, or as a false positive - possibly depending upon the specific requirements of the program/bounty.

I think the best way to find out is to reach out to the Bugcrowd folks or the program owner(s) privately and ask why your report was rejected.

I hope this helps to answer your questions. Best wishes!

Edit: Corrected my comment about the network-level DOS vulnerability criteria, to show that it might have failed to meet this requirement based upon an interpretation of the rule.

for other bughunts that allow this you’ll want to find a way to measure the servers response time when sending a normal formatted XML message vs your XML bomb consider using burp intruder or ‘curl’ and ‘time’ consider that if this works it is processing the entity, and there is a good change it will be vulnerable to other XXE Attacks that are allowed :stuck_out_tongue:

1 Like

Technically a buffer overflow that allows out of bounds write into the stack is also a Denial of Service attack that happens to crash the process if abused. However, in a very specific subset of cases, this “Denial of Service” can lead to Arbitrary Code Execution, and a lot of other things. Just because an input causes a DoS with most arguments cannot guarantee it doesn’t cause something more serious with the right arguments… :wink: