/oxml_xxe

A tool for embedding XXE/XML exploits into different filetypes

Primary LanguageRuby

oxml_xxe

This tool is meant to help test XXE vulnerabilities in OXML document file formats. Currently supported:

  • DOCX/XLSX/PPTX
  • ODT/ODG/ODP/ODS
  • SVG
  • XML

BH USA 2015 Presentation: Exploiting XXE in File Upload Functionality (Slides) (Recorded Webcast)

Blog Posts on the topic:

Installation

OXML_XXE was written in Ruby using Sinatra, Bootstrap, and Slim.

Docker

  1. Run docker build --tag oxml_xxe .
  2. Run docker run --name oxml_xxe -p 4567:4567 --rm oxml_xxe
  3. Browse to http://localhost:4567/ to get started.

Docker Compose

  1. Run docker-compose up --build
  2. Browse to http://localhost:4567/ to get started.

Ubuntu

Install dependencies:

apt-get install -y make git libsqlite3-dev libxslt-dev libxml2-dev zlib1g-dev gcc ruby3.2 g++

Bundle install:

gem install bundler
bundle install

Start the service:

ruby server.rb

Examples

See: https://github.com/BuffaloWill/oxml_xxe/wiki/python-docx