1. Web Security Academy
  2. XXE injection
  3. Blind
  4. Lab

Lab: Blind XXE with out-of-band interaction via XML parameter entities

This lab has a "Check stock" feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.

To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to burpcollaborator.net.

Want to track your progress and have a more personalized learning experience? (It's free!)

Sign up Login