1. Web Security Academy
  2. XXE injection
  3. Blind
  4. Lab

Lab: Blind XXE with out-of-band interaction via XML parameter entities


This lab has a "Check stock" feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.

To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to burpcollaborator.net.